Update for MISP 2.5

NUKIB · Oct 7, 2024 · 3ba2108 · 3ba2108
1 parent 8d63020
commit 3ba2108
Show file tree

Hide file tree

Showing 8 changed files with 31 additions and 19 deletions.
diff --git a/Config/config.php b/Config/config.php
@@ -209,4 +209,3 @@
 $config['MISP']['sentry_environment'] = '{{ SENTRY_ENVIRONMENT }}';
 {% endif %}
 {% endif %}
-?>
diff --git a/Dockerfile b/Dockerfile
@@ -13,7 +13,7 @@ RUN dnf install -y --setopt=tsflags=nodocs --setopt=install_weak_deps=False gcc-
 FROM builder AS php-build
 COPY bin/misp_compile_php_extensions.sh bin/misp_enable_epel.sh /build/
 RUN --mount=type=tmpfs,target=/tmp \
-    dnf module enable -y php:7.4 && \
+    dnf module enable -y php:8.2 && \
     bash /build/misp_enable_epel.sh && \
     bash /build/misp_compile_php_extensions.sh
 
@@ -36,7 +36,7 @@ COPY bin/misp_enable_epel.sh bin/misp_enable_vector.sh /usr/local/bin/
 RUN --mount=type=tmpfs,target=/var/cache/dnf \
     bash /usr/local/bin/misp_enable_epel.sh && \
     bash /usr/local/bin/misp_enable_vector.sh && \
-    dnf module -y enable mod_auth_openidc php:7.4 && \
+    dnf module -y enable mod_auth_openidc php:8.2 && \
     dnf install --setopt=tsflags=nodocs --setopt=install_weak_deps=False -y $(grep -vE "^\s*#" /tmp/packages | tr "\n" " ") && \
     alternatives --set python3 /usr/bin/python3.11 && \
     alternatives --set python /usr/bin/python3.11 && \
@@ -59,7 +59,7 @@ COPY --chmod=644 supervisor.ini /etc/supervisord.d/misp.ini
 COPY --chmod=644 logrotate/* /etc/logrotate.d/
 
 ARG CACHEBUST=1
-ARG MISP_VERSION=2.4
+ARG MISP_VERSION=2.5
 ENV MISP_VERSION=$MISP_VERSION
 
 RUN ln -f -s /lib64/libz.so.1.3.1.zlib-ng /lib64/libz.so.1 && \

diff --git a/README.md b/README.md
@@ -167,7 +167,7 @@ For pulling events from another MISP or fetching feeds MISP requires access to I
 
 * `PHP_SESSIONS_IN_REDIS` (optional, boolean, default `true`) - when enabled, sessions are stored in Redis. That provides better performance and sessions survive container restart
 * `PHP_SESSIONS_COOKIE_SAMESITE` (optional, string, default `Lax`) - sets [session.cookie_samesite](https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-samesite), can be `Strict` or `Lax`.
-* `PHP_SNUFFLEUPAGUS` (optional, boolean, default `true`) - enable PHP hardening by using [Snuffleupagus](https://snuffleupagus.readthedocs.io) PHP extension with [rules](snuffleupagus-misp.rules) tailored to MISP
+* `PHP_SNUFFLEUPAGUS` (optional, boolean, default `true`) - enable PHP hardening by using [Snuffleupagus](https://snuffleupagus.readthedocs.io) PHP extension with [rules](snuffleupagus-misp.rules) tailored to MISP (when enabled, PHP JIT will be disabled)
 * `PHP_TIMEZONE` (optional, string, default `UTC`) - sets [date.timezone](https://www.php.net/manual/en/datetime.configuration.php#ini.date.timezone)
 * `PHP_MEMORY_LIMIT` (optional, string, default `2048M`) - sets [memory_limit](https://www.php.net/manual/en/ini.core.php#ini.memory-limit)
 * `PHP_MAX_EXECUTION_TIME` (optional, int, default `300`) - sets [max_execution_time](https://www.php.net/manual/en/info.configuration.php#ini.max-execution-time) (in seconds)

diff --git a/bin/misp_compile_php_extensions.sh b/bin/misp_compile_php_extensions.sh
@@ -43,7 +43,7 @@ mv modules/*.so /build/php-modules/
 # Compile igbinary
 mkdir /tmp/igbinary
 cd /tmp/igbinary
-download_and_check https://github.com/igbinary/igbinary/archive/refs/tags/3.2.14.tar.gz 3dd62637667bee9328b3861c7dddc754a08ba95775d7b57573eadc5e39f95ac6
+download_and_check https://github.com/igbinary/igbinary/archive/refs/tags/3.2.16.tar.gz 941f1cf2ccbecdc1c221dbfae9213439d334be5d490a2f3da2be31e8a00b0cdb
 phpize
 CFLAGS="$DEFAULT_FLAGS" ./configure --silent --enable-igbinary
 make -j$NPROC
@@ -65,7 +65,7 @@ mv modules/*.so /build/php-modules/
 # Compile redis
 mkdir /tmp/redis
 cd /tmp/redis
-download_and_check https://github.com/phpredis/phpredis/archive/refs/tags/6.0.2.tar.gz 786944f1c7818cc7fd4289a0d0a42ea630a07ebfa6dfa9f70ba17323799fc430
+download_and_check https://github.com/phpredis/phpredis/archive/refs/tags/6.1.0.tar.gz 57135db32a0ccb1659f56c75feb26c10ea94fb3d2471edd047d94a9800f959b0
 phpize
 CFLAGS="$DEFAULT_FLAGS" ./configure --silent --enable-redis-igbinary
 #./configure --silent --enable-redis-igbinary

diff --git a/bin/misp_create_configs.py b/bin/misp_create_configs.py
@@ -363,6 +363,17 @@ def generate_snuffleupagus_config(enabled: bool):
     write_file("/etc/php.d/40-snuffleupagus.ini", config)
 
 
+def generate_jit_config(enabled: bool):
+    if not enabled:
+        return
+
+    config = f"; Enable PHP JIT\n" \
+             f"opcache.jit=On\n" \
+             f"opcache.jit_buffer_size=256M\n"
+
+    write_file("/etc/php.d/10-opcache-jit.ini", config)
+
+
 def generate_sessions_in_redis_config(enabled: bool, redis_host: str, redis_use_tls: Optional[bool] = False, redis_password: Optional[str] = None):
     if not enabled:
         return
@@ -583,6 +594,7 @@ def create():
 
     generate_xdebug_config(variables["PHP_XDEBUG_ENABLED"], variables["PHP_XDEBUG_PROFILER_TRIGGER"])
     generate_snuffleupagus_config(variables['PHP_SNUFFLEUPAGUS'])
+    generate_jit_config(not variables['PHP_SNUFFLEUPAGUS']) # PHP JIT is not supported when snuffleupagus is enabled
     generate_sessions_in_redis_config(variables["PHP_SESSIONS_IN_REDIS"], variables["REDIS_HOST"], variables["REDIS_USE_TLS"], variables["REDIS_PASSWORD"])
     generate_apache_config(variables)
     generate_rsyslog_config(variables)

diff --git a/bin/misp_install.sh b/bin/misp_install.sh
@@ -30,6 +30,7 @@ sed -e 's/;assert.active = On/assert.active = Off/' -i ${PHP_INI}
 sed -e 's/expose_php = On/expose_php = Off/' -i ${PHP_INI}
 sed -e 's/session.sid_length = 26/session.sid_length = 32/' -i ${PHP_INI}
 sed -e 's/session.use_strict_mode = 0/session.use_strict_mode = 1/' -i ${PHP_INI}
+sed -e 's/pcre.jit=0/pcre.jit=1/' -i ${PHP_INI}
 sed -e 's/opcache.enable_cli=1/opcache.enable_cli=0/' -i /etc/php.d/10-opcache.ini
 # use igbinary serializer for apcu and sessions
 sed -e 's/session.serialize_handler = php/session.serialize_handler = igbinary/' -i ${PHP_INI}
@@ -55,22 +56,22 @@ git config --system http.sslVersion tlsv1.3 # Always use TLSv1.3 or better for g
 git config --system --add safe.directory '*' # Fix fatal error `detected dubious ownership` in new git
 su-exec apache git clone --branch "$MISP_VERSION" --depth 1 https://github.com/MISP/MISP.git /var/www/MISP
 
-cd /var/www/MISP
+cd /var/www/MISP/
 su-exec apache git config core.filemode false
 
-# Clone just submodules under app/files, we don't need the rest
-cd /var/www/MISP/app/files/
+# Clone just submodules under app, we don't need the rest
+cd /var/www/MISP/app/
 su-exec apache git submodule update --depth 1 --jobs 4 --init --recursive .
 
 # Install Python dependencies as system package
+cd /var/www/MISP/app/files/
 pip3 install scripts/mixbox scripts/misp-stix scripts/python-maec scripts/python-stix scripts/python-cybox
 
 # Install MISP composer dependencies
-cd /var/www/MISP/app
+cd /var/www/MISP/app/
 # Remove unused packages
-su-exec apache php composer.phar --no-cache remove --update-no-dev kamisama/cake-resque
-# require exact version of `symfony/polyfill-php80` to keep compatibility, because later version replaces Attribute class :/
-su-exec apache php composer.phar --no-cache require --update-no-dev symfony/polyfill-php80:v1.18.1 sentry/sdk jakub-onderka/openid-connect-php:1.1.0 cakephp/cakephp:2.10.24 supervisorphp/supervisor guzzlehttp/guzzle php-http/message php-http/message-factory aws/aws-sdk-php
+su-exec apache php composer.phar --no-cache remove --update-no-dev iglocska/cake-resque
+su-exec apache php composer.phar --no-cache require --update-no-dev sentry/sdk jakub-onderka/openid-connect-php:1.1.0 aws/aws-sdk-php
 
 # Create attachments folder and set correct owner
 mkdir /var/www/MISP/app/attachments

diff --git a/patches/cake.php b/patches/cake.php
@@ -9,9 +9,9 @@
 const CAKE_SHELL_DISPATCHER = 'Cake' . DS . 'Console' . DS . 'ShellDispatcher.php';
 
 $appDir = dirname(__DIR__);
-$composerInstall = $appDir . DS . 'Vendor' . DS . 'cakephp' . DS . 'cakephp' . DS . 'lib';
+$cakeLib = $appDir . DS . 'Lib' . DS . 'cakephp' . DS . 'lib';
 
-if (!include $composerInstall . DS . CAKE_SHELL_DISPATCHER) {
+if (!include $cakeLib . DS . CAKE_SHELL_DISPATCHER) {
     trigger_error('Could not locate CakePHP core files.', E_USER_ERROR);
 }
 unset($composerInstall);

diff --git a/snuffleupagus-misp.rules b/snuffleupagus-misp.rules
@@ -20,9 +20,9 @@ sp.disable_function.function("putenv").param("setting").value_r("LD_").drop();
 sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop();
 
 # Prevent runtime modification of interesting things
-sp.disable_function.function("ini_set").param("varname").value("assert.active").drop();
-sp.disable_function.function("ini_set").param("varname").value("zend.assertions").drop();
-sp.disable_function.function("ini_set").param("varname").value("open_basedir").drop();
+sp.disable_function.function("ini_set").param("option").value("assert.active").drop();
+sp.disable_function.function("ini_set").param("option").value("zend.assertions").drop();
+sp.disable_function.function("ini_set").param("option").value("open_basedir").drop();
 
 # File upload
 sp.disable_function.function("move_uploaded_file").param("new_path").value_r("\\.ph").drop();