Skip to content

Fix SSRF bypass via curl callback EventCache corruption #378

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
PopoviciMarian wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Fix SSRF bypass via curl callback EventCache corruption #378

PopoviciMarian wants to merge 3 commits into from

Conversation

@PopoviciMarian
Copy link
Contributor

@PopoviciMarian PopoviciMarian commented Jan 9, 2026
edited by aikido-pr-checks bot
Loading

The firewall used a global EventCache singleton that was reset at every hook entry. When curl callbacks (CURLOPT_WRITEFUNCTION, etc.) invoked hooked PHP functions like file_put_contents(), nested hooks corrupted the outer hook's context. The POST handler then read empty values and skipped SSRF validation entirely.

Summary by Aikido

Security Issues: 0 🔍 Quality Issues: 4 Resolved Issues: 0

⚡ Enhancements

  • Added ScopedEventContext RAII and pushed contexts in handlers automatically.

🐛 Bugfixes

  • Fixed SSRF bypass caused by curl callback corrupting EventCache context.

🔧 Refactors

  • Replaced global EventCache with EventCacheStack and stack-based contexts.
  • Replaced direct eventCache field accesses with eventCacheStack.Top() calls.

More info

@PopoviciMarian PopoviciMarian marked this pull request as ready for review January 19, 2026 14:41
aikido-pr-checks[bot]
aikido-pr-checks bot reviewed Jan 19, 2026
View reviewed changes
lib/php-extension/GoWrappers.cpp Outdated
case FUNCTION_NAME:
ctx = "FUNCTION_NAME";
ret = eventCache.functionName;
ret = eventCacheStack.Empty() ? "" : eventCacheStack.Current().functionName;
Copy link
Contributor

@aikido-pr-checks aikido-pr-checks bot Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Repeated conditional access pattern 'eventCacheStack.Empty() ? "" : eventCacheStack.Current().' appears across many case branches; centralize into a helper (e.g., GetCurrentEventField(name)) to remove duplication.

Details

✨ AI Reasoning
​Multiple case branches now repeat the exact conditional expression eventCacheStack.Empty() ? "" : eventCacheStack.Current(). to read different EventCache fields. This yields many near-identical lines that perform the same logical operation (get current event field, or empty string if stack empty). Consolidating that access into a small helper would reduce repetition and risk of inconsistent edits across branches.

🔧 How do I fix it?
Delete extra code. Extract repeated code sequences into reusable functions or methods. Use loops or data structures to eliminate repetitive patterns.

Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info

@PopoviciMarian
Replace 'Current()' with 'Top()' for consistency across the codebase …
1fcff67 
…+ Introduce a helper function to safely access EventCache field
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@aikido-pr-checks aikido-pr-checks[bot] aikido-pr-checks[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@PopoviciMarian