fix: prevent null byte truncation bypass in SQL injection detection#410
fix: prevent null byte truncation bypass in SQL injection detection#410PopoviciMarian wants to merge 5 commits into
Conversation
![aikido-pr-checks[bot]](https://avatars.githubusercontent.com/in/898896?s=60&v=4){kind=small}
| return ""; | ||
| } | ||
| return Z_STRVAL_P(data); | ||
| return std::string(Z_STRVAL_P(data), Z_STRLEN_P(data)); |
There was a problem hiding this comment.
GetVar now constructs and returns a std::string copy for each call, causing a heap allocation and memory copy per call; consider returning a non-owning view or deferring copies to callers.
Details
✨ AI Reasoning
GetVar was modified to allocate and copy the PHP string into a std::string on every call. The function is used by many higher-level methods (method, URL, headers, etc.), so each call now incurs heap allocation and memory copy. This increases work proportional to the data size per call and multiplies across callers, turning many cheap O(1) pointer accesses into O(n) allocations and copies. Avoidable repeated allocations are an obvious performance regression.
🔧 How do I fix it?
Move constant work outside loops. Use StringBuilder instead of string concatenation in loops. Cache compiled regex patterns. Use hash-based lookups instead of nested loops. Batch database operations instead of N+1 queries.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
…vent potential crashes on malloc failure
1 participant
Changes:
ContextCallbackreturn type (char*) withCallbackResultstruct carrying both data pointer and explicit lengthmalloc+memcpyinstead ofstrdupinGoContextCallbackC.GoStringNinstead ofC.GoStringon the Go sidestd::string(ptr, len)constructors in all SQL querycapture handlers (
PDO,PDOStatement,mysqli)ArrayToJson,GetVar,GetBody,and
GetHeadersto preserve null bytes in user input dataSummary by Aikido
🐛 Bugfixes
🔧 Refactors
More info