Skip to content

Latest commit

 

History

History
78 lines (60 loc) · 5.74 KB

mitigations.md

File metadata and controls

78 lines (60 loc) · 5.74 KB

Mitigation Strategies Analysis for filp/whoops

Mitigation Strategy: Disable whoops in Production (Conditional Initialization)

Description:

  1. Environment Detection: Utilize a reliable method to determine the application's current environment (e.g., APP_ENV environment variable, framework-specific configuration).

  2. Conditional Logic: Enclose the entire whoops initialization block within an if statement (or equivalent conditional construct). This condition should only evaluate to true when the environment is not production. Commonly, this means checking if APP_ENV is equal to 'development', 'staging', 'local', etc., but never 'production'.

  3. Code Example (Conceptual - Adapt to your framework):

    if (getenv('APP_ENV') !== 'production') { // Or your framework's equivalent
    $whoops = new \Whoops\Run;
    $whoops->pushHandler(new \Whoops\Handler\PrettyPageHandler);
    $whoops->register();
}

  4. Configuration File Separation (If Applicable): If your framework uses separate configuration files for different environments, ensure that the whoops initialization code is only present in the configuration files for non-production environments.

  5. Testing: After implementing, trigger errors in your production environment and verify that no whoops output is shown.

  • List of Threats Mitigated:

    • Information Disclosure (Critical Severity): Prevents the display of stack traces, request variables, environment variables, and server details in the production environment. This is the primary threat whoops poses.
    • Reconnaissance (High Severity): Eliminates the ability for attackers to gather detailed information about the application's internal workings from error pages.
    • Vulnerability Exploitation (High Severity): Makes it significantly harder for attackers to exploit vulnerabilities by removing the detailed error information that could guide them.

  • Impact:

    • Information Disclosure: Risk reduced to effectively zero, provided the conditional logic is correctly implemented and tested.
    • Reconnaissance: Risk significantly reduced; attackers cannot use whoops output for reconnaissance.
    • Vulnerability Exploitation: Risk significantly reduced; attackers lack the detailed error information to aid exploitation.

  • Currently Implemented: Partially. Conditional initialization is present in app/Exceptions/Handler.php, using the APP_ENV environment variable.

  • Missing Implementation: The implementation relies solely on the APP_ENV variable. A more robust approach might involve checking multiple indicators to confirm the environment.

Mitigation Strategy: Sanitize whoops Output (Highly Discouraged - Last Resort)

Description: This strategy is strongly discouraged due to its inherent complexity and high risk of failure. It should only be considered in extremely limited, controlled circumstances where whoops must be used (e.g., a tightly controlled internal debugging tool), and even then, with extreme caution.

  1. Custom Whoops\Handler: Create a custom handler class that extends one of whoops's built-in handlers (e.g., PrettyPageHandler).

  2. Override Methods: Override methods like handle() or those responsible for generating specific parts of the output (e.g., stack trace rendering, variable display).

  3. Filtering/Redaction: Within the overridden methods, implement logic to:

    • Filter: Remove specific variables or data entirely (e.g., remove all environment variables).
    • Redact: Replace sensitive information with placeholders (e.g., replace database passwords with *****).
    • Whitelist: Only display a pre-approved set of variables or data.

  4. Blacklisting (Less Reliable): Utilize whoops's built-in blacklist() method to attempt to prevent specific variables from being displayed. This is less reliable than custom handlers, as it's easy to miss sensitive variables. Example: $handler->blacklist('_ENV', 'DATABASE_PASSWORD');

  5. Example (Conceptual - Highly Discouraged):

    // Conceptual and NOT RECOMMENDED
class SanitizedWhoopsHandler extends \Whoops\Handler\PrettyPageHandler
{
    public function handle()
    {
        // Get the default output
        $output = parent::handle();

        // Attempt to remove sensitive information (VERY FRAGILE)
        $output = str_replace($_ENV['DATABASE_PASSWORD'], '********', $output);
        // ... other redaction attempts ...

        return $output;
    }
}

$whoops = new \Whoops\Run;
$whoops->pushHandler(new SanitizedWhoopsHandler);
$whoops->register();

  6. Extensive, Rigorous Testing: Thoroughly test every possible error scenario to ensure that sensitive information is never leaked. This is extremely difficult and time-consuming. Automated testing is essential, but manual verification is also crucial.

  • List of Threats Mitigated:

    • Information Disclosure (Critical Severity): Attempts to mitigate information disclosure, but with a very high probability of failure. It's extremely difficult to guarantee complete sanitization.

  • Impact:

    • Information Disclosure: Risk reduction is unreliable and likely incomplete. This is not a recommended approach for production or any environment with sensitive data.

  • Currently Implemented: Not implemented (and should not be in most cases).

  • Missing Implementation: Everything. This strategy is generally discouraged.