-
Notifications
You must be signed in to change notification settings - Fork 41
Checklist For Safety
- size of
GET
request's header is smaller than8KB
, restricted by Swoole, big cookies will make cookies parsing fail.
-
header(), use Laravel API: $response->header -
setcookie(), use Laravel API: $response->cookie -
session_start()/session_create_id()... , so Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage is not allowed. use Laravel API. -
http_response_code(), use Laravel API like setStatusCode(404); or abort(404);
The best way to disable functions.
# php.ini
disable_functions="setcookie, session_start, session_create_id, http_response_code"
# header() is used by artisan serve
A simple way to find out related functions
disable_functions=header,setcookie,session_start,session_create_id,http_response_code
sudo php -d disable_functions="$disable_functions" vendor/scil/laravel-fly/bin/fly start
A simple bash script to check out related functions in a package
#!/usr/bin/env bash
package_dir=vendor/mcamara/laravel-localization/src
# find out: exit( die( header( setcookie( setrawcookie( session_start http_response_code
# but ignore: >header // e.g. $request->header('Accept-Language')
grep -H -n -r -E "\bexit\(|\bdie\(|[^>]header\(|\bsetcookie\(|\bsetrawcookie\(|\bsession_start\(|\bhttp_response_code\(" $package_dir
-
flush()/ob_flush()/ob_end_flush()/ob_implicit_flush()for Laravel response, please only use Laravel API -
include_once/require_oncewhen including php code files which are not about class/interface/trait/function. See [include_once/require_once](To include the files about class/interface/trait/function) -
readlinewhat readline returns
Use php directive to find out them.
disable_functions=flush,ob_flush,ob_end_flush,ob_implicit_flush,include_once,require_once,readline
sudo php -d disable_functions="$disable_functions" vendor/scil/laravel-fly/bin/fly start
A script.
#!/usr/bin/env bash
# simple bash script to check out related functions
grep -H -n -r -E "\bflush\(|\bob_flush\(" $package_dir
grep -H -n -r -E "\binclude_once\(|\brequire_once\(" $package_dir
grep -H -n -r -E "\breadline\(" $package_dir
- constants should keep same in all requests.
Static props should keep consistent.
-
If coroutine used, they must keep same; if coroutine not used, the changes in a request should not harm the next request.
-
Refactor not made for following static props of laravel offical services, so pay some attension to them (If you really need refactor, use
use StaticDict
):- Illuminate\Pagination\Paginator::currentPathResolver, currentPageResolver, viewFactoryResolver, defaultView, defaultSimpleView
- Illuminate\Database\Eloquent\Model::globalScopes ( Global Scopes ) is an associated array, its values on the same key should always be same.
- If you use Laravel Macros, an object's Macros with same name should always be same if the object is made on worker, like
addGlobalScope
above.
- decide whether to use coroutine. If you'd like coroutine http client, coroutine db, connections pool, select A.
-
const LARAVELFLY_COROUTINE = true;
in fly.conf.php -
do not use $_GET or $_POST. Working with coroutines, cpu would jump from one request to another, $_GET is useless and harmful. So are $_POST, $_FILES, $_COOKIE, $_REQUEST, $_SESSION.
-
$_SERVER can only be used to fetch server info, not client info
-
ini_set()
,setlocale()
,set_include_path()
,set_exception_handler()
andset_error_handler()
may be very dangerous if they are used in a request. Take care, avoid crash.
Woud you like to usesetlocle()
in requests for users from different region? I think you'd better provide this snack on front end, using javascript, like JsWorld Moment.js. If you really want to use it, make sure there is no coroutine jump with it and its usage likeCarbon::now()->formatLocalized('%A %d %B %Y');
(By the way, feel free to useapp()->setLocale
,app('translator')->setLocale
) -
- Coroutine does not coexist with route definition in route files
- Coroutine can not be used before requests. That is, coroutine can not used in a service if it booted on WorkerStart.
Use php directive to find out them.
disable_functions=set_include_path,set_exception_handler,set_error_handler
sudo php -d disable_functions="$disable_functions" vendor/scil/laravel-fly/bin/fly start
A bash script
grep -H -n -r -E "\bini_set\(|\bsetlocale\(|\bset_include_path\(|\bset_exception_handler\(|\bset_error_handler\(" $package_dir
-
const LARAVELFLY_COROUTINE = false;
in fly.conf.php -
Restore maybe needed if
ini_set()
,setlocale()
,set_include_path()
,set_exception_handler()
orset_error_handler()
is used in a request.
Restore is not always necessary, for example mcamara/laravel-localization runsetlocale(LC_TIME, $regional . $suffix);
in each request, so restore not necessary.
grep -H -n -r -E "\bini_set\(|\bsetlocale\(|\bset_include_path\(|\bset_exception_handler\(|\bset_error_handler\(" $package_dir
[ ] decide when it's registered and booted. By default, a third-party service provider would be treated as an across service provider, registered on worker and booted in each request.
-
Ensure
App\Providers\RouteServiceProvider::class => 'across',
in 'providers_on_worker' in config/laravelfly.php if your routes defined in web.php or api.php use your new service. -
Ensure
App\Providers\EventServiceProvider::class => 'across',
if this event service provider uses your new service in methodboot()
. set 'request' instead of 'acrossif method
register()` uses new service. -
Same rules for other providers like
AuthServiceProvider
,AppServiceProvider
and so on.
Be registered and booted in each request.
- put your new service provider into
'providers_in_request'
Like a service provider to be registered and booted before any request? see checklist for speed
- Ref in controllers must be WORKER SERVICE. see controller and Stale Reference
- Start
- Coding Guideline
- Deploy and OS Configuration
- New API
- Design
- Dev about Mode Map
- Dev about Mode Backup