terrylinooo / shieldon Goto Github PK
View Code? Open in Web Editor NEWWeb Application Firewall (WAF) for PHP.
Home Page: https://shieldon.io
License: MIT License
Web Application Firewall (WAF) for PHP.
Home Page: https://shieldon.io
License: MIT License
Is it possible to add support for invision power board?
Hi, eh installed on an instance and I filed the following error.
Both Windows and Linux keep the same situation in mind.
Php7.2 and php7.3 with the following issue.
Targeting the required tutorial in the Filters.php eh installing in "composer install" and "composer update"
Please need help to solve this problem.
Units in controllPanel for Sesion limits says Minute..so 300 minute or 300 seconds like in the image? I change onlineLimit to 2 and 1 unit keepalive and never shows the message when i test it..
I've opened it only by looking at mask_string()
.
There are IPv6 processing elsewhere.
No webpage was found for the web address:
i have trying shieldon in laravel 10 it showing page can’t be found. Kindly help me
I'm using Laragon on localhost and pretty url enable, so I can open my https://shieldon.test/ with no erros.
But I can't open https://shieldon.test/firewall/panel/ because I receive a 404 error not found.
My code is:
<?php
require_once(__DIR__.'/vendor/autoload.php');
$shieldon = new \Shieldon\Firewall\Integration\Bootstrap();
$shieldon->run();
What A'm I doing wrong?
Can i use the code but without any of way which you has tell in readme?
Please consider using only LF line ends
https://www.php-fig.org/psr/psr-2/#22-files
git clients can be configured to store LF in the repo and checkout CRLF in the work tree
Class 'Shieldon\Firewall\Intergration\CodeIgniter4' not found
Please run phpstan analyse src/ -l 0
and raise level one-by-one.
Powered by @phpstan
Hi,
Im using Slim3 with PHP-DI container and Twig.
The problem im having is with the csrf, the $request->getAttribute is returning null.
In my routes im not returning or using $args, because I can return the actual attributes by name.
Managed to get is working by bypassing the SCRF, it's setup and im using it
In Twig im also using SCRF but adding
public function fw101(Request $request, Response $response) {
$firewall = new \Shieldon\Firewall\Firewall($request);
$firewall->configure(__DIR__ . '/../cache/shieldon_firewall');
$firewall->controlPanel('/firewall/panel/');
$panel = new \Shieldon\Firewall\Panel();
// the $request->getAttribute is returning null
// $csrfName = $request->getAttribute('csrf_name');
// $csrfVale = $request->getAttribute('csrf_value');
$nameKey = $this->csrf->key();
$valueKey = $this->csrf->token();
$csrfName = $this->csrf->key();
$csrfVale = $this->csrf->token();
$panel->csrf(
[$nameKey => $csrfVale],
[$valueKey => $csrfVale]
);
$panel->entry();
}
In \shieldon\templates\panel\setting\components.php
on line 42 you have an error:
<input type="checkbox" name="components__trusted_bot__enable" class="toggle-block" value="on" data-target="component-trustedbot-section" checked('online_session_limit.enable', true); ?> />
It have to be:
<input type="checkbox" name="components__trusted_bot__enable" class="toggle-block" value="on" data-target="component-trustedbot-section" checked('components.trusted_bot.enable', true); ?> />
to make "trustedbot-section" switch working!
Hi i trying to install it using composer and seems it doesn't work as its haves an case error in the 147 line:
In RootPackageLoader.php line 147:
require.dirkgroenen/Pinterest-API-PHP is invalid, it should not contain uppercase characters. Please use dirkgroenen/pinterest-api-php instead.
I have a "pure PHP project" that I am trying to deploy/test this on and I can't seem to figure it out.
When I try to access /firewall/panel all I get is a blank page and no php/nginx errors.
The install guide says to have "pretty urls" enabled. What should I rewrite /firewall/panel to? /vendor/autoload.php ?
I try to access https://shieldon.io/ website by reload page many times.
Then it need me a enter the captcha.
After that i try reload page many times again.
It block my IP :).
Please Help me.
demo/demo is invalid
Please help me
Unable to add products to cart when using Woocommerce
Can i use that for laravell 11
This seems like a really nice project, but unfortunately I'm not able to reach the website https://shieldon.io/. No matter what IP address I use (and I've tried at least 10 different IPs), I always get this message:
The IP address you are using has been blocked.
Could it be that the WAF has been configured a bit too strict?
I'd really like to give this project a try, but I need access to the website to be able to read the documentation.
Any help is appreciated.
The How to Use Slim 4 link directs to Slim 3 page. Should redirect to this page: https://github.com/terrylinooo/shieldon/wiki/Slim-4-Framework
Hi, I accedently block out google bosts crawler. how to whitelist it? I tried to use Firewall > Components > Trusted Bots. but it not enabling after save. I find no instructions how to manage this.
Please help ASAP.
When I visited https://shieldon.io/demo/report/operation/#context, I saw a stack trace. This leaks sensitive information about the web server such as:
This is helpful for attackers in exploiting bugs in the server.
DEBUG_MODE = OFF
Csrf class not found middleware laravel 8 what is nampace of the Csrf class
Could you please provide a MySQL driver implementation example? As well as SqLITE and Redis?
Thank you!
Argument 2 passed to Shieldon\Firewall\Integration\Laravel::handle() must be an instance of Shieldon\Firewall\Integration\Closure, instance of Closure given, called in /var/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php on line 167
My route
Route::get('/{any}', 'App\Http\Controllers\SpaController@index')->where('any', '.*')->middleware('firewall');
Hello @terrylinooo !
In the last 5 years I was watching access logs and analyzing POST body dumps.
The result is 60+ rules.
They are implemented in only 2 PHP files starting here
https://github.com/szepeviktor/waf4wordpress/blob/master/http-analyzer/waf4wordpress-http-analyzer.php#L322
I hope you benefit from them!
Hey there!
I'd like to report a security issue but cannot find contact instructions on your repository.
If not a hassle, might you kindly add a SECURITY.md
file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.
Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)
Initialized per instructions
An uncaught Exception was encountered
Type: InvalidArgumentException
Message: Unsupported HTTP protocol version number. "1.0" provided.
Filename: /vendor/shieldon/psr-http/src/Psr7/Message.php
Line Number: 483
using the php bootstrap with no framework
have xss protection enabled for GET, POST, COOKIE at firewall/panel/security/xssProtection/
the url mysite.com/someurl/test=<script>alert(1)</script> is not blocked.
Am I doing something wrong?
thanks!
Pagination doesn't have:
It appears as this to me:
Previous123Next
The "buttons" work correctly though, so it's a matter of appearance and formatting.
I'm not sure if this is just a Demo page issue, or an issue with Shieldon.
Dear Terry,
First of all, thank you for this awesome WAF!
I've found an issue with session processing in case of using https://github.com/php-pm/php-pm. Your code has direct access to $_SESSION super-global variable but projects based on the php-pm are fetching session from every request (e.q. PSR-7 message). Using $_SESSION in this case is useless because all requests will share the same session data. The best way to fix this is to extract session processing to separate interface, create default adapter for $_SESSION and [optional] adapters for each framework. This will allow developers to provide the correct session implementation and adopt their projects to php-pm, even without [optional] first-party framework-related adapters. $_SESSION adapter may be used by default so no BC break is expected.
AFAIK, using any super-globals like $_SERVER / $_GET / $_POST / $_COOKIE will break php-pm. So it seems that not only session processing needs to be rewritten but all super-global usages.
I would be happy to help you with this issue.
Regards,
Denis.
hi, I am working with yii2 with many sub modules application like yii2-advanced template..
so my question is, if I install this app, it must be install to every sub module (like in yii2-advanced, its have 2 sub module, frontend and backend) or just install to one of sub module to cover whole sub modules??
I'm deployed shieldon on all my site with different server but all visitor are visited throw single proxy and on proxy I was cached all page but some time an IP was banned by Shieldon and that IP try to access other page and all page and banned but it cached on proxy too so other visitor they see banned page too I want to exclude that page from proxy caching what should I do? which page I need to add in proxy configure?
I've installed this on a Laravel app (v7) following your guide. The problem is that after I click "Test" for example for SlackWeebHook nothing seems to happen. It keeps loading. I figured out there must be a problem, looked in the config and changed the "confirm_test" value to true and I get the message: "Class 'Messenger\SlackWebhook' not found". Any idea?
I'm getting error when I enter the iptables page, may you check it please?
Hi, i just installed your firewall and despite using the settings of this link https://shieldon.io/en/guide/yii.html, the following errors are being presented:
1 - Fatal error: Declaration of Shieldon\Driver\FileDriver::doInitialize($dbCheck = true): void must be compatible with Shieldon\Driver\AbstractDriver::doInitialize(bool $dbCheck = true): void in {mypath}\vendor\terrylinooo\shieldon\src\Shieldon\Driver\FileDriver.php on line 32
-- I'm using php 7.1.17 if it matters
-- If I change to FileDriver::doInitialize(booln $dbCheck = true), the following error occur:
2 - Argument 1 passed to Shieldon\FirewallPanel::__construct() must be an instance of Shieldon\object, instance of Shieldon\Firewall given, called in {mypath}\controllers\FirewallPanelController.php on line 20
-- The controller code is exactly the same presented in the guide
3 - Another question would be about the documentation. In https://shieldon.io/en/docs/configuration.html it shows these snippets:
In https://shieldon.io/en/guide/yii.html
It is not clear where in Yii I should use the config code and how to relate the two objects.
I am using for laravel and forgot password for firewall panel. Please help
I'll list some of the language problems in the demo control panel. There's more things that could be changed, but I don't know the context well enough to do so, so I'll just list the ones that I'm sure of. I checked just the pages until, and including, Firewall > Settings > Daemon.
I've never seen "circle" and "cycle" used like this, there should be some other, more traditional words used for this, but they escape me for now.
Table headers:
Enable
Session Limit
Action Logs
System Firewall
Deny Attempts
First of all, thank you for the library, I installed it in my Laravel application, now I am looking to test it with flood requests. any tool which you recommend.
Hi,
I get a warning on the call to private function operationTemplateVarsOfStatistics
when a $ruleInfo['reason']
is not predefined by getInfoDefault()
.
Simple patch is to add before $counter[$reason]++;
(line 255)
$counter[$reason] = $counter[$reason] ?? 0;
Thank you for your work.
Hello i installed shieldon on symfony 4.4 and i had this error
Notice: Undefined variable: csrfValue
i replaced in the controller
$controlPanel->csrf('_token', $token);
with
$controlPanel->csrf('_token', $token->getValue());
no more the big error but now i just have the http login form always following by this message : "Permission required."
How can i set this up in Laravel 8. Think i'm missing something. I have installed it in Laravel 8 Project and implemented the firewall on a global scope by adding the code in bootstrap/app.php as told in the documentation, and registered the routs as well. But i when i try to access localhost/myproject/firewall/panel I'm getting a blankpage. Shouldn't i run any migrations or anything, if so how am i supposed to publish those ?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.