GHSA-qvgg-r6rq-vwfx: datadog/dd-trace Circumvents open_basedir INI directive
datadog/dd-trace versions 0.30.0 prior to 0.30.2 are affected by a security and stability issue outlined in PR #579. This pull request ensures that the ddtrace.request_init_hook remains bound by the open_basedir INI directive, effectively addressing potential vulnerabilities related to open_basedir restrictions. The update introduces a sandboxing mechanism to isolate the request init hook from errors or exceptions during execution, enhancing the library’s stability and preventing adverse impacts on the main script.
References
- github.com/DataDog/dd-trace-php
- github.com/DataDog/dd-trace-php/commit/87fc324eb63d533b35464f1dfca946795f2294fd
- github.com/DataDog/dd-trace-php/pull/579
- github.com/DataDog/dd-trace-php/releases/tag/0.30.0
- github.com/DataDog/dd-trace-php/releases/tag/0.30.2
- github.com/FriendsOfPHP/security-advisories/blob/master/datadog/dd-trace/2019-09-26-1.yaml
- github.com/advisories/GHSA-qvgg-r6rq-vwfx
Code Behaviors & Features
Detect and mitigate GHSA-qvgg-r6rq-vwfx with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →