{"id":15024949,"url":"https://github.com/jvoisin/snuffleupagus","last_synced_at":"2026-01-07T13:06:15.786Z","repository":{"id":40262369,"uuid":"104185516","full_name":"jvoisin/snuffleupagus","owner":"jvoisin","description":"Security module for php7 and php8 - Killing bugclasses and virtual-patching the rest!","archived":false,"fork":false,"pushed_at":"2025-04-11T20:09:25.000Z","size":13610,"stargazers_count":798,"open_issues_count":23,"forks_count":92,"subscribers_count":36,"default_branch":"master","last_synced_at":"2025-04-13T20:44:17.792Z","etag":null,"topics":["c","elephant","hardening","php","php-module","php7","security","security-hardening"],"latest_commit_sha":null,"homepage":"https://snuffleupagus.readthedocs.io","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jvoisin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-09-20T08:06:45.000Z","updated_at":"2025-04-13T16:24:09.000Z","dependencies_parsed_at":"2023-02-02T19:47:17.497Z","dependency_job_id":"dc497c67-5d0f-456e-9177-a39c31f6649e","html_url":"https://github.com/jvoisin/snuffleupagus","commit_stats":null,"previous_names":[],"tags_count":20,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jvoisin%2Fsnuffleupagus","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jvoisin%2Fsnuffleupagus/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jvoisin%2Fsnuffleupagus/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jvoisin%2Fsnuffleupagus/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jvoisin","download_url":"https://codeload.github.com/jvoisin/snuffleupagus/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248782280,"owners_count":21160716,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c","elephant","hardening","php","php-module","php7","security","security-hardening"],"created_at":"2024-09-24T20:01:15.828Z","updated_at":"2026-01-07T13:06:15.710Z","avatar_url":"https://github.com/jvoisin.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003e\n  \u003cbr\u003e\n  \u003ca href=\"https://snuffleupagus.readthedocs.io/\"\u003e\n    \u003cimg src=\"https://github.com/jvoisin/snuffleupagus/raw/master/doc/source/_static/sp.png\" alt=\"Snuffleupagus' logo\" width=\"200\"\u003e\u003c/a\u003e\n  \u003cbr\u003e\n  Snuffleupagus\n  \u003cbr\u003e\n\u003c/h1\u003e\n\n\u003ch4 align=\"center\"\u003eSecurity module for php7 and php8 - Killing bugclasses and virtual-patching the rest!\u003c/h4\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/jvoisin/snuffleupagus/actions/workflows/distributions_php7.yml\"\u003e\n    \u003cimg src=\"https://github.com/jvoisin/snuffleupagus/actions/workflows/distributions_php7.yml/badge.svg\"\n         alt=\"Testing PHP7 on various Linux distributions\" /\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/jvoisin/snuffleupagus/actions/workflows/distributions_php8.yml\"\u003e\n    \u003cimg src=\"https://github.com/jvoisin/snuffleupagus/actions/workflows/distributions_php8.yml/badge.svg\"\n         alt=\"Testing PHP8 on various Linux distributions\" /\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://scan.coverity.com/projects/jvoisin-snuffleupagus\"\u003e\n    \u003cimg src=\"https://scan.coverity.com/projects/13821/badge.svg?flat=1\"\n         alt=\"Coverity\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://bestpractices.coreinfrastructure.org/projects/1267\"\u003e\n      \u003cimg src=\"https://bestpractices.coreinfrastructure.org/projects/1267/badge\"\n           alt=\"CII Best Practises\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"http://snuffleupagus.readthedocs.io/?badge=latest\"\u003e\n    \u003cimg src=\"https://readthedocs.org/projects/snuffleupagus/badge/?version=latest\"\n         alt=\"readthedocs.org\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://coveralls.io/github/jvoisin/snuffleupagus?branch=master\"\u003e\n    \u003cimg src=\"https://coveralls.io/repos/github/jvoisin/snuffleupagus/badge.svg?branch=master\"\n         alt=\"coveralls\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://twitter.com/dustriorg\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/twitter-follow-blue.svg\"\n         alt=\"twitter\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://repology.org/project/php:snuffleupagus/versions\"\u003e\n    \u003cimg src=\"https://repology.org/badge/tiny-repos/php:snuffleupagus.svg\"\n         alt=\"Packaging status\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/jvoisin/snuffleupagus\"\u003e\n    \u003cimg src=\"https://github.com/jvoisin/snuffleupagus/actions/workflows/codeql-analysis.yml/badge.svg\"\n         alt=\"CodeQL\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#key-features\"\u003eKey Features\u003c/a\u003e •\n  \u003ca href=\"#download\"\u003eDownload\u003c/a\u003e •\n  \u003ca href=\"#examples\"\u003eExamples\u003c/a\u003e •\n  \u003ca href=\"https://snuffleupagus.readthedocs.io/\"\u003eDocumentation\u003c/a\u003e •\n  \u003ca href=\"https://github.com/jvoisin/snuffleupagus/blob/master/LICENSE\"\u003eLicense\u003c/a\u003e •\n  \u003ca href=\"#thanks\"\u003eThanks\u003c/a\u003e\n\u003c/p\u003e\n\nSnuffleupagus is a [PHP 7+ and 8+](https://secure.php.net/) module designed to\ndrastically raise the cost of attacks against websites, by killing entire bug\nclasses. It also provides a powerful virtual-patching system, allowing\nadministrator to fix specific vulnerabilities and audit suspicious behaviours\nwithout having to touch the PHP code.\n\n## Key Features\n\n* No [noticeable performance impact](https://dustri.org/b/snuffleupagus-030-dentalium-elephantinum.html)\n* Powerful yet simple to write virtual-patching rules\n* Killing several classes of vulnerabilities\n  * [Unserialize-based](https://www.owasp.org/images/9/9e/Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits.pdf) code execution\n  * [`mail`-based]( https://blog.ripstech.com/2016/roundcube-command-execution-via-email/ ) code execution\n  * Cookie-stealing [XSS]( https://en.wikipedia.org/wiki/Cross-site_scripting )\n  * File-upload based code execution\n  * Weak PRNG\n  * [XXE]( https://en.wikipedia.org/wiki/XML_external_entity_attack )\n  * Filter based remote code execution and assorted shenanigans\n* Several hardening features\n  * Automatic `secure` and `samesite` flag for cookies\n  * Bundled set of rules to detect post-compromissions behaviours\n  * Global [strict mode]( https://secure.php.net/manual/en/migration70.new-features.php#migration70.new-features.scalar-type-declarations) and type-juggling prevention\n  * Whitelisting of [stream wrappers](https://secure.php.net/manual/en/intro.stream.php)\n  * Preventing writeable files execution\n  * Whitelist/blacklist for `eval`\n  * Enforcing TLS certificate validation when using [curl](https://secure.php.net/manual/en/book.curl.php)\n  * Request dumping capability\n* A relatively sane code base:\n  * A [comprehensive](https://coveralls.io/github/jvoisin/snuffleupagus?branch=master) test suite close to 100% coverage\n  * Every commit is tested on [several distributions](https://gitlab.com/jvoisin/snuffleupagus/pipelines)\n  * An `clang-format`-enforced code style\n  * A [comprehensive documentation](https://snuffleupagus.rtfd.io)\n  * Usage of [coverity](https://scan.coverity.com/projects/jvoisin-snuffleupagus), codeql, [scan-build](https://clang-analyzer.llvm.org/scan-build.html), …\n\n## Download\n\nWe've got a [download\npage](https://snuffleupagus.readthedocs.io/download.html), where you can find\npackages for your distribution, but you can of course just `git clone` this\nrepo, or check the releases on [github](https://github.com/jvoisin/snuffleupagus/releases).\n\n## Examples\n\nWe're providing [various example rules](https://github.com/jvoisin/snuffleupagus/tree/master/config),\nthat are looking like this:\n\n```python\n# Harden the `chmod` function\nsp.disable_function.function(\"chmod\").param(\"mode\").value_r(\"^[0-9]{2}[67]$\").drop();\n\n# Mitigate command injection in `system`\nsp.disable_function.function(\"system\").param(\"command\").value_r(\"[$|;\u0026`\\\\n]\").drop();\n```\n\nUpon violation of a rule, you should see lines like this in your logs:\n\n```python\n[snuffleupagus][0.0.0.0][disabled_function][drop] The execution has been aborted in /var/www/index.php:2, because the return value (0) of the function 'strpos' matched a rule.\n```\n\n## Documentation\n\nWe've got a [comprehensive website](https://snuffleupagus.readthedocs.io/) with\nall the documentation that you could possibly wish for. You can of course\n[build it yourself](https://github.com/jvoisin/snuffleupagus/tree/master/doc).\n\n## Thanks\n\nMany thanks to:\n\n- The [Suhosin project](https://suhosin.org) for being a __huge__ source of inspiration\n- [NBS System](https://www.nbs-system.com) for initially sponsoring the development\n- [Suhosin-ng](https://github.com/sektioneins/suhosin-ng) for their\n  [experimentations](https://github.com/sektioneins/suhosin-ng/wiki/News)\n  and [contributions](https://github.com/jvoisin/snuffleupagus/commits?author=bef),\n  as well as [NLNet](https://nlnet.nl/project/Suhosin-NG/) for sponsoring it\n- All [our contributors](https://github.com/jvoisin/snuffleupagus/graphs/contributors)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjvoisin%2Fsnuffleupagus","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjvoisin%2Fsnuffleupagus","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjvoisin%2Fsnuffleupagus/lists"}