Blocking from a hook is not stopping code execution

[estringana]

Description

Blocking a request from Appsec should stop customer code execution. However, when this blocking happens within a tracer hook, it does not stop executing customer code execution.

Reviewer checklist

• Test coverage seems ok.
• Appropriate labels assigned.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 49.72%. Comparing base (0c6532b) to head (1602d2c).

❗ There is a different number of reports uploaded between BASE (0c6532b) and HEAD (1602d2c). Click for more details.

HEAD has 7 uploads less than BASE

Flag	BASE (0c6532b)	HEAD (1602d2c)
tracer-php	11	4

Additional details and impacted files

@@              Coverage Diff              @@
##             master    #2836       +/-   ##
=============================================
- Coverage     74.82%   49.72%   -25.10%     
+ Complexity     2741     2736        -5     
=============================================
  Files           110      110               
  Lines         10863    10858        -5     
=============================================
- Hits           8128     5399     -2729     
- Misses         2735     5459     +2724     

Flag	Coverage Δ
tracer-php	49.72% <ø> (-25.10%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 50 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0c6532b...1602d2c. Read the comment docs.

[bwoebi]

I see, the tracer sandboxing is sandboxing the bailout away :-)
I suppose some it would be ideal to signal the tracer "please bailout again after catching this" :-D

[pr-commenter]

Benchmarks [ tracer ]

Benchmark execution time: 2024-11-29 16:40:28

Comparing candidate commit 1602d2c in PR branch estringana/blocking-within-tracer-hook with baseline commit 0c6532b in branch master.

Found 0 performance improvements and 2 performance regressions! Performance is the same for 176 metrics, 0 unstable metrics.

scenario:HookBench/benchHookOverheadTraceMethod

• 🟥 execution_time [+5.734µs; +13.745µs] or [+2.726%; +6.534%]

scenario:PDOBench/benchPDOBaseline

• 🟥 execution_time [+14.839µs; +18.347µs] or [+8.382%; +10.363%]

[cataphract]

I think it's fine although it's a mystery to me why sandbox.{h,c} are written the way they are.

[cataphract]

I don't know why sandbox.h is written this way, with just C inline functions, but I guess that in the context of its strangeness it's fine.