Skip to content

fix(blackfire): update to the latest version and URLs #530

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
+20 −20
Draft

fix(blackfire): update to the latest version and URLs #530

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 20 additions & 20 deletions support/ext/blackfire
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#!/usr/bin/env bash

if [ -n "$DEBUG" ]; then
set -x
set -x
fi

# fail hard
Expand All @@ -11,44 +11,44 @@ set -eu

php_version=${1:=8.2}
php_series="$(echo $php_version | cut -d '.' -f1,2)"
# https://blackfire.io/docs/up-and-running/installation?action=install&mode=full&location=local&os=manual&language=php#install-the-php-probe
# https://docs.blackfire.io/up-and-running/installation?action=install&mode=full&location=local&os=manual&language=php&version=latest&#install-the-php-probe
#
# → Select "Linux Binary", 64 bits, the right PHP version and you'll see the last version of the probe
blackfire_probe_version=1.86.3
# https://blackfire.io/docs/up-and-running/installation?action=install&mode=full&location=local&os=manual&language=php#install-the-packages
# → Under "Install the PHP Probe", select "Linux Binary", 64 bits and your PHP version. Open the network inspector to identify the request triggered when you click on "Download". It contains the last version.
blackfire_probe_version=1.92.41
# https://docs.blackfire.io/up-and-running/installation?action=install&mode=full&location=local&os=manual&language=php&version=latest&#install-the-packages
#
# → Select "Linux Binary", 64 bits and you'll see the last version
blackfire_agent_version=2.13.2
blackfire_agent_version=2.29.0
bin_dir=${PREFIX}/bin

# Blackfire Probe
curl --location --output blackfire.so \
"https://packages.blackfire.io/binaries/blackfire-php/${blackfire_probe_version}/blackfire-php-linux_amd64-php-$(echo $php_series | tr -d '.').so"
"https://packages.blackfire.io/binaries/blackfire-php/${blackfire_probe_version}/blackfire-php-linux_amd64-php-$(echo "$php_series" | tr -d '.').so"

mkdir -p ${EXT_DIR}
mv blackfire.so ${EXT_DIR}/blackfire.so
mkdir -p "${EXT_DIR}"
mv blackfire.so "${EXT_DIR}/blackfire.so"

# AGENT
# Blackfire Agent
curl --user-agent "Scalingo" --output agent.tar.gz \
--dump-header - --location --silent \
https://blackfire.io/api/v1/releases/agent/linux/amd64
https://blackfire.io/api/v1/releases/cli/linux/amd64

echo "-----> Packaging bin/blackfire-agent ${blackfire_agent_version}..."

mkdir -p ${PREFIX}/var/blackfire/run
mkdir -p ${PREFIX}/etc/blackfire
echo -e "[blackfire]\nserver-id=f1abf3a8-3f85-4743-99b2-97f066c099b9\nserver-token=5ecbc6486e9db6b780a0c0a9ef1e244709e632996fe9105cb9075ab2826944d5" > ${PREFIX}/etc/blackfire/agent.ini
mkdir -p ${bin_dir}
mkdir -p "${PREFIX}/var/blackfire/run"
mkdir -p "${PREFIX}/etc/blackfire"
echo -e "[blackfire]\nserver-id=f1abf3a8-3f85-4743-99b2-97f066c099b9\nserver-token=5ecbc6486e9db6b780a0c0a9ef1e244709e632996fe9105cb9075ab2826944d5" > "${PREFIX}/etc/blackfire/agent.ini"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
A gitleaks generic-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). This rule can introduce a lot of false positives, it is not recommended to be used in PR comments.

To resolve this comment:

✨ Commit Assistant fix suggestion

Suggested change
echo -e "[blackfire]\nserver-id=f1abf3a8-3f85-4743-99b2-97f066c099b9\nserver-token=5ecbc6486e9db6b780a0c0a9ef1e244709e632996fe9105cb9075ab2826944d5" > "${PREFIX}/etc/blackfire/agent.ini"
# Read Blackfire credentials from environment variables for secure configuration
server_id="${BLACKFIRE_SERVER_ID}"
server_token="${BLACKFIRE_SERVER_TOKEN}"
# Warn if variables are not set (optional but recommended for usability)
if [[ -z "$server_id" || -z "$server_token" ]]; then
echo "ERROR: BLACKFIRE_SERVER_ID and BLACKFIRE_SERVER_TOKEN environment variables must be set" >&2
exit 1
fi
echo -e "[blackfire]\nserver-id=${server_id}\nserver-token=${server_token}" > "${PREFIX}/etc/blackfire/agent.ini"
View step-by-step instructions
  1. Remove the hard-coded server-id and server-token from the script. Replace them with placeholders like {{BLACKFIRE_SERVER_ID}} and {{BLACKFIRE_SERVER_TOKEN}}.
  2. Modify the script to read these values from environment variables. You can do this by using shell parameter expansion: server-id=${BLACKFIRE_SERVER_ID} and server-token=${BLACKFIRE_SERVER_TOKEN}.
  3. Update the line that writes to agent.ini to use these variables: 
    echo -e "[blackfire]\nserver-id=${server-id}\nserver-token=${server-token}" > ${PREFIX}/etc/blackfire/agent.ini
  4. Ensure that the environment variables BLACKFIRE_SERVER_ID and BLACKFIRE_SERVER_TOKEN are set in the environment where this script runs. This can be done by exporting them in the shell or setting them in a configuration file that is sourced before running the script.

This approach ensures that sensitive information is not stored directly in the source code, reducing the risk of accidental exposure.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by generic-api-key.

You can view more details about this finding in the Semgrep AppSec Platform.

mkdir -p "${bin_dir}"

tar -zxf agent.tar.gz
chmod +x agent
cp agent ${bin_dir}/blackfire-agent
cp agent "${bin_dir}/blackfire-agent"
rm agent.tar.gz agent agent.sha1

# CLI
echo "-----> Packaging bin/blackfire ${blackfire_agent_version}..."
curl https://packages.blackfire.io/binaries/blackfire-agent/${blackfire_agent_version}/blackfire-cli-linux_amd64 > ${bin_dir}/blackfire
chmod +x ${bin_dir}/blackfire
curl https://packages.blackfire.io/binaries/blackfire-agent/${blackfire_agent_version}/blackfire-cli-linux_amd64 > "${bin_dir}/blackfire"
chmod +x "${bin_dir}/blackfire"

find ${PREFIX} -type f \( -executable -o -name '*.a' \) -exec sh -c "file -i '{}' | grep -Eq 'application/x-(archive|executable|sharedlib); charset=binary'" \; -print | xargs strip --strip-unneeded

Expand All @@ -64,8 +64,8 @@ if [[ -n "$BLACKFIRE_SERVER_TOKEN" && -n "$BLACKFIRE_SERVER_ID" ]]; then
fi
EOF

mkdir -p ${PREFIX}/etc/php/conf.d
cat > ${PREFIX}/etc/conf.d/blackfire.ini <<'EOF'
mkdir -p "${PREFIX}/etc/php/conf.d"
cat > "${PREFIX}/etc/conf.d/blackfire.ini" <<'EOF'
extension = blackfire.so

blackfire.server_token = ${BLACKFIRE_SERVER_TOKEN}
Expand Down