Pledge Symfony Routing Laravel Package
ctors/pledge-symfony-routing
Getting Started
Minimal Setup
-
Install the Package
composer require ctors/pledge-symfony-routingEnsure
ext/pledgeis installed on OpenBSD (see pecl-pledge). -
Enable the Bundle Add to
config/bundles.php:return [ // ... ctors\PledgeSymfonyRoutingBundle\PledgeSymfonyRoutingBundle::class => ['all' => true], ]; -
First Use Case Apply
#[Pledge]and#[Unveil]to a controller method:use ctors\PledgeSymfonyRoutingBundle\Attribute\Pledge; use ctors\PledgeSymfonyRoutingBundle\Attribute\Unveil; class SecureController extends AbstractController { #[Route('/secure', name: 'secure')] #[Pledge('stdio rpath')] #[Unveil('/var/log', 'rw')] public function secureEndpoint(): Response { return new Response('Secure!'); } }
Implementation Patterns
Workflows
-
Granular Route Security Apply
#[Pledge]/#[Unveil]per route or controller:// Controller-level (applies to all routes) #[Pledge('stdio rpath')] class SecureController extends AbstractController { ... } // Method-level (overrides controller-level) #[Pledge('stdio rpath inet')] public function dbEndpoint(): Response { ... } -
Dynamic Unveil Paths Use
__DIR__for relative paths:#[Unveil(__DIR__.'/../storage', 'rwc')] -
Fallback Pledges Define default pledges in
config/packages/pledge_symfony_routing.yaml:pledge_symfony_routing: default_pledge: 'stdio rpath'
Integration Tips
- PHP-FPM Configuration
Set
pm.max_requests = 1inwww/conf.php-fpm.confto avoid process reuse. - Dependency Injection
Inject services with restricted pledges (e.g., database clients):
#[Pledge('inet')] public function __construct(private EntityManager $em) { ... } - Testing
Mock
pledge()/unveil()calls in unit tests usingPHPUnitextensions.
Gotchas and Tips
Pitfalls
-
Overly Restrictive Pledges
#[Pledge('stdio')]blocks all file operations. Userpath/wpathfor filesystem access.- Fix: Test with
pledge('stdio rpath', ...)in development.
-
Unveil Order Matters
- Paths must be unveiled before being accessed. Unveiling
/last is common:
#[Unveil('/htdocs/storage', 'rwc')] #[Unveil('/', 'r')] // Allow reading other files - Paths must be unveiled before being accessed. Unveiling
-
FPM Pool Isolation
- Reusing processes with different pledges breaks security. Always set
pm.max_requests = 1.
- Reusing processes with different pledges breaks security. Always set
-
Missing
ext/pledge- Symptom:
Class 'ctors\PledgeSymfonyRoutingBundle\Attribute\Pledge' not found. - Fix: Install
pecl-pledgeand restart PHP-FPM.
- Symptom:
Debugging
- Check Pledge Failures
OpenBSD logs pledge violations to
/var/log/system.log. Use:tail -f /var/log/system.log | grep pledge - Temporary Disable Pledges
For debugging, use:
#[Pledge('')] // Disables all pledges (dev-only!)
Extension Points
-
Custom Attributes Extend the bundle by creating your own attributes (e.g.,
#[DbPledge]):#[Attribute] class DbPledge implements PledgeInterface { public function getPledge(): string { return 'inet'; } } -
Event Listeners Listen to
kernel.controllerto dynamically adjust pledges:$event->getController()->addAttribute(new Pledge('stdio rpath')); -
Global Configuration Override defaults in
config/packages/pledge_symfony_routing.yaml:pledge_symfony_routing: default_unveils: - { path: '/var/log', mode: 'rw' }
How can I help you explore Laravel packages today?