010101 some rules, mostly around null bytes might be useful depending on the operating system or software versions I guess, so this could still save the day. But I don't think any up to date versions of apache or php would allow that in the first place (at least, I hope 😬 ). If it was the case, there would be a CVE, a logo and a website assigned to it and the whole web would be in panic.
Or if you're running outdated software... Well you shouldn't and Flarum would likely not run on it anyway 😇
I'm wondering how people rate how good it is. Is it based on the optional logging you can add to the script ? Did they check it actually saved them from anything ? As I said above I'm sure plenty of malicious actors will be "catched" by the filters, but how many of these exploits would actually have worked against the website ?
That's more like "seeing" bad guys pass by. Not much more that can be done if your software is robust 🙃
I believe one useful case would be if you're running extensions (particularly for wordpress) made by inexperienced developers, who might have left open holes in their code, like direct command line or sql injection.
While this could totally apply to Flarum as well, the code quality here is very good. Even new developers make use of the framework helpers and so it's hard to leave such mistakes. The most dangerous aspect I believe is database but the use of the Laravel query builder and models make it pretty safe.
With sql injection pretty much impossible, the next possible mistakes are far more complex to detect, and not covered at all by those filters. It could be for example missing authorization checks or HTML injection through saved data in the backend.
Right now with Flarum we have plenty of experienced developers testing most of the third party extensions and usually noticing any issue with them, but it might become a bigger problem as the ecosystem grows and that untested extensions get downloaded by forum owners without much (if any) development experience.
In that regard, a firewall (running in Flarum, as an extension), or maybe a "code smell" running in the marketplace (once there is one) or just simple review of extensions will help mitigate this problem in our ecosystem. The Flarum firewall should definitely be JSON-aware and also mithril-aware, because the front-end of Flarum also has its own kind of possible injections.
Happy to hear other thoughts on the subject.