Intrinsic Verification - Runtime Checks

[toderash]

This standalone application is intended to be used in running automated checks that monitor the functioning of an active wp-plugin or wp-theme to be performed when packages are submitted for federation on the FAIR network and with subsequent releases. Examples of prior art are shown here along with other resources, but are not intended as an exhaustive or approved list of libraries to be used. Other runtime environments may be suitable for certain checks, but all should assume unsafe code is being run and should consider blocking outbound http requests or mail sending of any kind.

As described in Runtime Checks:

• No unexpected filesystem modifications
• No unexpected outbound http requests
• Flag outbound http requests to CDNs, Google fonts, etc. if not already logged from static scan
• No console errors
• No PHP errors or warnings in log
• Flag deprecation notices
• Flag doing_it_wrong
• Slow db queries?
• Fuzz Testing:
  • GitHub - nikic/PHP-Fuzzer: Experimental fuzzer for PHP libraries
  • Phuzz Modular & Open-Source Coverage-Guided Web Application Fuzzer for PHP
  • WPGarlic: A proof-of-concept WordPress plugin fuzzer
• Performance checks; e.g., Code Profiler / Code Profiler
• Possible environment: Katakate/k7 self-hosted infra for lightweight VM sandboxes to safely execute untrusted code
• Append results to fair-forge-meta per spec

Resulting output to STDOUT is fine, can be piped where we need it later. Output format should be along these lines:

• fair-forge-meta spec
• package-meta

[namithj]

@toderash Can we split this one up into multiple tools, Doing it as a single tool will be a huge undertaking and difficult to maintain, may be have a whole runtime checks section

[toderash]

@namithj yes, absolutely - split up however makes sense, allowing to defer some of the bigger jobs as needed.