feat: prevent php session files to be uploaded#4412
Merged
Conversation
Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
Contributor
|
📊 Quantitative test results for language: |
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request adds protection against PHP session file upload attacks to prevent PHP session deserialization vulnerabilities, specifically addressing CVE-2025-54236 (Magento Session Reaper).
Changes:
- Adds new rule 933220 at paranoia level 2 to detect and block uploads of files matching PHP session naming patterns (sess_<session_id>)
- Includes comprehensive test coverage with 17 test cases covering various attack vectors and legitimate filenames
- Creates regex assembly file with pattern documentation for the session file detection
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf | Implements rule 933220 to detect PHP session file uploads via FILES, FILES_NAMES, and custom filename headers (X-Filename, X_Filename, X.Filename, X-File-Name) |
| regex-assembly/933220.ra | Defines the regex pattern assembly for detecting sess_ prefix followed by valid PHP session ID characters (20-256 chars) |
| tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933220.yaml | Provides comprehensive test coverage with 17 test cases including multipart uploads, various headers, path variations, and negative test cases |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Xhoenix
reviewed
Jan 19, 2026
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
fzipi
commented
Jan 19, 2026
Member
Author
|
@copilot open a new pull request to apply changes based on the comments in this thread |
Contributor
11 tasks
…4415) * Initial plan * Add test cases for comma and uppercase handling Co-authored-by: fzipi <3012076+fzipi@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: fzipi <3012076+fzipi@users.noreply.github.com>
Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
Xhoenix
reviewed
Jan 23, 2026
Member
|
Why PL2? Looks it can goes into PL1. |
Contributor
|
Thank you very much for this PR, Felipe. I agree with @azurit - this rule should be in PL1. |
Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
Member
Author
|
Moved to PL1! |
azurit
approved these changes
Jan 23, 2026
Member
|
@fzipi Thank you, great work! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
what
why
refs