IDOR protection

[hansott]

Summary by Aikido

⚠️ Security Issues: 1	🔍 Quality Issues: 4	Resolved Issues: 0

🚀 New Features

• Added IDOR protection feature with PHP API and Go integration

⚡ Enhancements

• Captured and serialized SQL parameter values into JSON for queries
• Made IDOR violations immediately throw regardless of blocking mode
• Implemented lazy-loaded, request-scoped IDOR config parsing and validation

🔧 Refactors

• Added PHP compatibility typedef and adjusted zend_result/type handling

^{More info}

[aikido-pr-checks]

Function name 'CheckForIdorViolation' uses the 'Check' prefix which is ambiguous. Rename to a clearer verb that indicates its behavior or return type (e.g., 'DetectIdorViolation' or 'IsIdorViolation') to clarify intent.

Details

✨ AI Reasoning
​A new code path was added that calls a function whose name begins with 'Check' (CheckForIdorViolation). The rule discourages 'check' prefixes because they ambiguously suggest either a boolean predicate or side-effecting behavior. The change introduced this usage, so it is a new violation. The problematic symbol appears in the newly added logic that runs IDOR detection, specifically at the call site where the function is invoked. Renaming the function to a name that clearly indicates its behavior or return type would resolve the issue.

🔧 How do I fix it?
Replace 'check' with more descriptive verbs that indicate the function's action or purpose. Use 'validate' for validation, 'get' for retrieval, or 'is' for boolean checks. Ensure the name clearly communicates the function's intent and return type.

_{Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info}

[aikido-pr-checks]

Function 'checkWhereFilters' starts with 'check', making its intent ambiguous (return vs side effects). Use a clearer verb that indicates behavior.

Details

✨ AI Reasoning
​A new function named 'checkWhereFilters' was added. Function names beginning with 'check' are ambiguous about return/value semantics versus side effects. This harms clarity when reading the code and when reasoning about whether the function mutates state or returns data.

🔧 How do I fix it?
Replace 'check' with more descriptive verbs that indicate the function's action or purpose. Use 'validate' for validation, 'get' for retrieval, or 'is' for boolean checks. Ensure the name clearly communicates the function's intent and return type.

_{Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info}

[aikido-pr-checks]

Function 'checkInsert' starts with 'check', making its intent ambiguous (return vs side effects). Use a clearer verb that indicates behavior.

Details

✨ AI Reasoning
​A new function named 'checkInsert' was added. Function names beginning with 'check' are ambiguous about return/value semantics versus side effects. This harms clarity when reading the code and when reasoning about whether the function mutates state or returns data.

🔧 How do I fix it?
Replace 'check' with more descriptive verbs that indicate the function's action or purpose. Use 'validate' for validation, 'get' for retrieval, or 'is' for boolean checks. Ensure the name clearly communicates the function's intent and return type.

_{Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info}

[aikido-pr-checks]

Calling zval_ptr_dtor(&retval) when 'retval' may still be ZVAL_UNDEF can cause a crash; ensure 'retval' is initialized or check Z_ISUNDEF(retval) before dtor.

Details

✨ AI Reasoning
​The wrapper prepares a local zval 'retval' and sets it to undefined. The callable is invoked; if invocation fails, code calls zval_ptr_dtor(&retval). If the function never populated 'retval' (it remains ZVAL_UNDEF), calling the destructor can operate on an invalid/undefined value, risking a segmentation fault. The check for definedness only occurs in the success branch, so the destructor call on failure is not guarded.

🔧 How do I fix it?
Add null checks before dereferencing pointers, validate array bounds before access, avoid using pointers after free/delete, don't write to string literals, and prefer smart pointers in modern C++.

_{Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info}

[aikido-pr-checks]

Comment on ContextSetIdorConfig restates what the function does. Remove or replace with rationale (why lazy loading and callback are required) instead of repeating behavior.

Details

✨ AI Reasoning
​The added comment above ContextSetIdorConfig merely restates the function's behavior (lazy load of IDOR config from PHP/CONTEXT_IDOR_CONFIG). It does not explain why the lazy load is required, why the CONTEXT_IDOR_CONFIG callback exists, nor any constraints or design decisions. Such "what" comments increase maintenance burden without added value.

🔧 How do I fix it?
Write comments that explain the purpose, reasoning, or business logic behind the code using words like 'because', 'so that', or 'in order to'.

_{Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info}

Show Fix

Remediation - low confidence
This patch mitigates the mechanical comment issue by replacing the comment that restated the lazy loading mechanism with a comment that explains the rationale for on-demand initialization (avoiding cross-language overhead when IDOR protection is not needed).

Suggested change

	// ContextSetIdorConfig loads IDOR config lazily (on first GetIdorConfig() use)
	// from PHP via CONTEXT_IDOR_CONFIG callback.
	// ContextSetIdorConfig initializes IDOR config on-demand to avoid cross-language
	// overhead when IDOR protection is not used for the current request.