terrylinooo / shieldon Goto Github PK
View Code? Open in Web Editor NEWWeb Application Firewall (WAF) for PHP.
Home Page: https://shieldon.io
License: MIT License
Web Application Firewall (WAF) for PHP.
Home Page: https://shieldon.io
License: MIT License
Please consider using only LF line ends
https://www.php-fig.org/psr/psr-2/#22-files
git clients can be configured to store LF in the repo and checkout CRLF in the work tree
Hi, eh installed on an instance and I filed the following error.
Both Windows and Linux keep the same situation in mind.
Php7.2 and php7.3 with the following issue.
Targeting the required tutorial in the Filters.php eh installing in "composer install" and "composer update"
Please need help to solve this problem.
I'm using Laragon on localhost and pretty url enable, so I can open my https://shieldon.test/ with no erros.
But I can't open https://shieldon.test/firewall/panel/ because I receive a 404 error not found.
My code is:
<?php
require_once(__DIR__.'/vendor/autoload.php');
$shieldon = new \Shieldon\Firewall\Integration\Bootstrap();
$shieldon->run();
What A'm I doing wrong?
I am using for laravel and forgot password for firewall panel. Please help
Hi, i just installed your firewall and despite using the settings of this link https://shieldon.io/en/guide/yii.html, the following errors are being presented:
1 - Fatal error: Declaration of Shieldon\Driver\FileDriver::doInitialize($dbCheck = true): void must be compatible with Shieldon\Driver\AbstractDriver::doInitialize(bool $dbCheck = true): void in {mypath}\vendor\terrylinooo\shieldon\src\Shieldon\Driver\FileDriver.php on line 32
-- I'm using php 7.1.17 if it matters
-- If I change to FileDriver::doInitialize(booln $dbCheck = true), the following error occur:
2 - Argument 1 passed to Shieldon\FirewallPanel::__construct() must be an instance of Shieldon\object, instance of Shieldon\Firewall given, called in {mypath}\controllers\FirewallPanelController.php on line 20
-- The controller code is exactly the same presented in the guide
3 - Another question would be about the documentation. In https://shieldon.io/en/docs/configuration.html it shows these snippets:
In https://shieldon.io/en/guide/yii.html
It is not clear where in Yii I should use the config code and how to relate the two objects.
No webpage was found for the web address:
i have trying shieldon in laravel 10 it showing page can’t be found. Kindly help me
I've installed this on a Laravel app (v7) following your guide. The problem is that after I click "Test" for example for SlackWeebHook nothing seems to happen. It keeps loading. I figured out there must be a problem, looked in the config and changed the "confirm_test" value to true and I get the message: "Class 'Messenger\SlackWebhook' not found". Any idea?
Pagination doesn't have:
It appears as this to me:
Previous123Next
The "buttons" work correctly though, so it's a matter of appearance and formatting.
I'm not sure if this is just a Demo page issue, or an issue with Shieldon.
I'm deployed shieldon on all my site with different server but all visitor are visited throw single proxy and on proxy I was cached all page but some time an IP was banned by Shieldon and that IP try to access other page and all page and banned but it cached on proxy too so other visitor they see banned page too I want to exclude that page from proxy caching what should I do? which page I need to add in proxy configure?
Csrf class not found middleware laravel 8 what is nampace of the Csrf class
Units in controllPanel for Sesion limits says Minute..so 300 minute or 300 seconds like in the image? I change onlineLimit to 2 and 1 unit keepalive and never shows the message when i test it..
This seems like a really nice project, but unfortunately I'm not able to reach the website https://shieldon.io/. No matter what IP address I use (and I've tried at least 10 different IPs), I always get this message:
The IP address you are using has been blocked.
Could it be that the WAF has been configured a bit too strict?
I'd really like to give this project a try, but I need access to the website to be able to read the documentation.
Any help is appreciated.
Hi, I accedently block out google bosts crawler. how to whitelist it? I tried to use Firewall > Components > Trusted Bots. but it not enabling after save. I find no instructions how to manage this.
Please help ASAP.
First of all, thank you for the library, I installed it in my Laravel application, now I am looking to test it with flood requests. any tool which you recommend.
demo/demo is invalid
I've opened it only by looking at mask_string()
.
There are IPv6 processing elsewhere.
Can i use that for laravell 11
hi, I am working with yii2 with many sub modules application like yii2-advanced template..
so my question is, if I install this app, it must be install to every sub module (like in yii2-advanced, its have 2 sub module, frontend and backend) or just install to one of sub module to cover whole sub modules??
Argument 2 passed to Shieldon\Firewall\Integration\Laravel::handle() must be an instance of Shieldon\Firewall\Integration\Closure, instance of Closure given, called in /var/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php on line 167
My route
Route::get('/{any}', 'App\Http\Controllers\SpaController@index')->where('any', '.*')->middleware('firewall');
Please help me
Unable to add products to cart when using Woocommerce
How can i set this up in Laravel 8. Think i'm missing something. I have installed it in Laravel 8 Project and implemented the firewall on a global scope by adding the code in bootstrap/app.php as told in the documentation, and registered the routs as well. But i when i try to access localhost/myproject/firewall/panel I'm getting a blankpage. Shouldn't i run any migrations or anything, if so how am i supposed to publish those ?
Hello i installed shieldon on symfony 4.4 and i had this error
Notice: Undefined variable: csrfValue
i replaced in the controller
$controlPanel->csrf('_token', $token);
with
$controlPanel->csrf('_token', $token->getValue());
no more the big error but now i just have the http login form always following by this message : "Permission required."
The How to Use Slim 4 link directs to Slim 3 page. Should redirect to this page: https://github.com/terrylinooo/shieldon/wiki/Slim-4-Framework
Is it possible to add support for invision power board?
Can i use the code but without any of way which you has tell in readme?
Hello @terrylinooo !
In the last 5 years I was watching access logs and analyzing POST body dumps.
The result is 60+ rules.
They are implemented in only 2 PHP files starting here
https://github.com/szepeviktor/waf4wordpress/blob/master/http-analyzer/waf4wordpress-http-analyzer.php#L322
I hope you benefit from them!
using the php bootstrap with no framework
have xss protection enabled for GET, POST, COOKIE at firewall/panel/security/xssProtection/
the url mysite.com/someurl/test=<script>alert(1)</script> is not blocked.
Am I doing something wrong?
thanks!
When I visited https://shieldon.io/demo/report/operation/#context, I saw a stack trace. This leaks sensitive information about the web server such as:
This is helpful for attackers in exploiting bugs in the server.
DEBUG_MODE = OFF
I'll list some of the language problems in the demo control panel. There's more things that could be changed, but I don't know the context well enough to do so, so I'll just list the ones that I'm sure of. I checked just the pages until, and including, Firewall > Settings > Daemon.
I've never seen "circle" and "cycle" used like this, there should be some other, more traditional words used for this, but they escape me for now.
Table headers:
Enable
Session Limit
Action Logs
System Firewall
Deny Attempts
Class 'Shieldon\Firewall\Intergration\CodeIgniter4' not found
Hey there!
I'd like to report a security issue but cannot find contact instructions on your repository.
If not a hassle, might you kindly add a SECURITY.md
file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.
Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)
Could you please provide a MySQL driver implementation example? As well as SqLITE and Redis?
Thank you!
I try to access https://shieldon.io/ website by reload page many times.
Then it need me a enter the captcha.
After that i try reload page many times again.
It block my IP :).
Please Help me.
In \shieldon\templates\panel\setting\components.php
on line 42 you have an error:
<input type="checkbox" name="components__trusted_bot__enable" class="toggle-block" value="on" data-target="component-trustedbot-section" checked('online_session_limit.enable', true); ?> />
It have to be:
<input type="checkbox" name="components__trusted_bot__enable" class="toggle-block" value="on" data-target="component-trustedbot-section" checked('components.trusted_bot.enable', true); ?> />
to make "trustedbot-section" switch working!
Dear Terry,
First of all, thank you for this awesome WAF!
I've found an issue with session processing in case of using https://github.com/php-pm/php-pm. Your code has direct access to $_SESSION super-global variable but projects based on the php-pm are fetching session from every request (e.q. PSR-7 message). Using $_SESSION in this case is useless because all requests will share the same session data. The best way to fix this is to extract session processing to separate interface, create default adapter for $_SESSION and [optional] adapters for each framework. This will allow developers to provide the correct session implementation and adopt their projects to php-pm, even without [optional] first-party framework-related adapters. $_SESSION adapter may be used by default so no BC break is expected.
AFAIK, using any super-globals like $_SERVER / $_GET / $_POST / $_COOKIE will break php-pm. So it seems that not only session processing needs to be rewritten but all super-global usages.
I would be happy to help you with this issue.
Regards,
Denis.
I have a "pure PHP project" that I am trying to deploy/test this on and I can't seem to figure it out.
When I try to access /firewall/panel all I get is a blank page and no php/nginx errors.
The install guide says to have "pretty urls" enabled. What should I rewrite /firewall/panel to? /vendor/autoload.php ?
Please run phpstan analyse src/ -l 0
and raise level one-by-one.
Powered by @phpstan
Initialized per instructions
An uncaught Exception was encountered
Type: InvalidArgumentException
Message: Unsupported HTTP protocol version number. "1.0" provided.
Filename: /vendor/shieldon/psr-http/src/Psr7/Message.php
Line Number: 483
Hi,
Im using Slim3 with PHP-DI container and Twig.
The problem im having is with the csrf, the $request->getAttribute is returning null.
In my routes im not returning or using $args, because I can return the actual attributes by name.
Managed to get is working by bypassing the SCRF, it's setup and im using it
In Twig im also using SCRF but adding
public function fw101(Request $request, Response $response) {
$firewall = new \Shieldon\Firewall\Firewall($request);
$firewall->configure(__DIR__ . '/../cache/shieldon_firewall');
$firewall->controlPanel('/firewall/panel/');
$panel = new \Shieldon\Firewall\Panel();
// the $request->getAttribute is returning null
// $csrfName = $request->getAttribute('csrf_name');
// $csrfVale = $request->getAttribute('csrf_value');
$nameKey = $this->csrf->key();
$valueKey = $this->csrf->token();
$csrfName = $this->csrf->key();
$csrfVale = $this->csrf->token();
$panel->csrf(
[$nameKey => $csrfVale],
[$valueKey => $csrfVale]
);
$panel->entry();
}
I'm getting error when I enter the iptables page, may you check it please?
Hi i trying to install it using composer and seems it doesn't work as its haves an case error in the 147 line:
In RootPackageLoader.php line 147:
require.dirkgroenen/Pinterest-API-PHP is invalid, it should not contain uppercase characters. Please use dirkgroenen/pinterest-api-php instead.
Hi,
I get a warning on the call to private function operationTemplateVarsOfStatistics
when a $ruleInfo['reason']
is not predefined by getInfoDefault()
.
Simple patch is to add before $counter[$reason]++;
(line 255)
$counter[$reason] = $counter[$reason] ?? 0;
Thank you for your work.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.