From 9436e0840107440249928e39625fee206a7af0f3 Mon Sep 17 00:00:00 2001 From: Jeroen Vermeulen - MageHost Date: Mon, 26 Oct 2020 13:54:32 +0100 Subject: [PATCH 1/5] Made HTTP check compatible with HTTP/2 (lowercase headers) --- src/Checker/HttpChecker.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Checker/HttpChecker.php b/src/Checker/HttpChecker.php index ef3b923..0b42bf7 100644 --- a/src/Checker/HttpChecker.php +++ b/src/Checker/HttpChecker.php @@ -34,7 +34,7 @@ protected function doCheck($lock) list($headers, $body) = $this->doHttpCheck($lock, $certFile); - if (!(preg_match('/X-Alerts: (\d+)/', $headers, $matches) || 2 == count($matches))) { + if (!(preg_match('/X-Alerts: (\d+)/i', $headers, $matches) || 2 == count($matches))) { throw new RuntimeException('The web service did not return alerts count.'); } @@ -59,7 +59,7 @@ public function testConnection() unlink($tmplock); - if (!(preg_match('/X-Alerts: (\d+)/', $headers, $matches) || 2 == count($matches))) { + if (!(preg_match('/X-Alerts: (\d+)/i', $headers, $matches) || 2 == count($matches))) { throw new RuntimeException('The web service did not return alerts count.'); } From 4cf7aa2cde2bffc7ccae116921de7aba9a10b3ce Mon Sep 17 00:00:00 2001 From: Jeroen Vermeulen - MageHost Date: Mon, 26 Oct 2020 14:00:51 +0100 Subject: [PATCH 2/5] Switched to Composer 2, issue: fancyguy/composer-security-check-plugin#26 https://github.com/composer/composer/blob/master/UPGRADE-2.0.md#for-integrators-and-plugin-authors --- composer.json | 6 +++- src/SecurityCheckPlugin.php | 64 ++++++++++++++++++++++--------------- 2 files changed, 44 insertions(+), 26 deletions(-) diff --git a/composer.json b/composer.json index 4fa71cb..acc78e8 100644 --- a/composer.json +++ b/composer.json @@ -7,6 +7,10 @@ { "name": "Steve Buzonas", "email": "steve@fancyguy.com" + }, + { + "name": "Jeroen Vermeulen", + "email": "jeroen@magehost.pro" } ], "support": { @@ -21,7 +25,7 @@ "psr-4": { "FancyGuy\\Composer\\SecurityCheck\\Test\\": "tests/" } }, "require": { - "composer-plugin-api": "^1.1", + "composer-plugin-api": "^2.0", "symfony/yaml": "^4.1", "ext-json": "*", "ext-curl": "*" diff --git a/src/SecurityCheckPlugin.php b/src/SecurityCheckPlugin.php index 710c447..b6c7d56 100644 --- a/src/SecurityCheckPlugin.php +++ b/src/SecurityCheckPlugin.php @@ -7,9 +7,9 @@ use Composer\Factory; use Composer\IO\IOInterface; use Composer\Installer\InstallationManager; -use Composer\Installer\InstallerEvent; -use Composer\Installer\InstallerEvents; use Composer\Installer\NoopInstaller; +use Composer\Installer\PackageEvent; +use Composer\Installer\PackageEvents; use Composer\Plugin\Capable; use Composer\Plugin\CommandEvent; use Composer\Plugin\PluginEvents; @@ -19,6 +19,7 @@ use Composer\Repository\InstalledFilesystemRepository; use Composer\Script\Event as ScriptEvent; use Composer\Script\ScriptEvents; +use Composer\Util\Loop; use FancyGuy\Composer\SecurityCheck\Checker\DefaultChecker; use FancyGuy\Composer\SecurityCheck\Util\DiagnosticsUtility; @@ -39,8 +40,12 @@ public static function getSubscribedEvents() array('onCommandEvent'), ), // audit install candidates and possibly block installs - InstallerEvents::POST_DEPENDENCIES_SOLVING => array( - array('onInstallerEvent'), + PackageEvents::PRE_PACKAGE_INSTALL => array( + array('onPackageEvent'), + ), + // audit update candidates and possibly block installs + PackageEvents::PRE_PACKAGE_UPDATE => array( + array('onPackageEvent'), ), // status ScriptEvents::POST_STATUS_CMD => array( @@ -58,6 +63,10 @@ public static function getSubscribedEvents() private $composer; + private $config; + + private $loop; + private $io; protected function getComposer() @@ -65,6 +74,16 @@ protected function getComposer() return $this->composer; } + protected function getConfig() + { + return $this->config; + } + + protected function getLoop() + { + return $this->loop; + } + protected function getIO() { return $this->io; @@ -74,8 +93,16 @@ public function activate(Composer $composer, IOInterface $io) { $this->composer = $composer; $this->io = $io; + $this->config = Factory::createConfig(); + $this->loop = new Loop(Factory::createHttpDownloader($this->getIO(), $this->getConfig())); } + public function deactivate(Composer $composer, IOInterface $io) { + } + + public function uninstall(Composer $composer, IOInterface $io) { + } + public function getCapabilities() { return array( @@ -102,7 +129,7 @@ public function onPreCommandRunEvent(PreCommandRunEvent $event) { } - public function onInstallerEvent(InstallerEvent $event) + public function onPackageEvent(PackageEvent $event) { $operations = $event->getOperations(); if (!$operations) { @@ -110,17 +137,9 @@ public function onInstallerEvent(InstallerEvent $event) return; } - $installedRepo = $event->getInstalledRepo(); + $repo = $event->getLocalRepo(); - $isFilesystemInstall = false; - foreach ($installedRepo->getRepositories() as $repo) { - if ($repo instanceof InstalledFilesystemRepository) { - $isFilesystemInstall = true; - break; - } - } - - if (!$isFilesystemInstall) { + if (!$repo instanceof InstalledFilesystemRepository) { // noop return; } @@ -137,18 +156,13 @@ public function onInstallerEvent(InstallerEvent $event) } $localRepo = new InstalledArrayRepository($packages); - $im = new InstallationManager(); + $im = new InstallationManager($this->getLoop(), $this->getIO()); $im->addInstaller(new NoopInstaller); - foreach ($operations as $operation) { - // TODO: Fake passes like in Installer::extractDevPackages() break things - // Ideally we should have the local repository being used in the event - // For now, blindly ignore exceptions. The noop installer throws only - // when a package is not installed. We'll assume it is in another context - try { - $im->execute($localRepo, $operation); - } catch (\Exception $e) {} - } + // TODO: Fake passes like in Installer::extractDevPackages() break things + try { + $im->execute($localRepo, $operations); + } catch (\Exception $e) {} $locked = array(); From 6012d941cbd5bd3e1517160c4b96a0ceee24b99f Mon Sep 17 00:00:00 2001 From: Jeroen Vermeulen - MageHost Date: Mon, 26 Oct 2020 14:12:13 +0100 Subject: [PATCH 3/5] Restored comment which got lost --- src/SecurityCheckPlugin.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/SecurityCheckPlugin.php b/src/SecurityCheckPlugin.php index b6c7d56..1681e28 100644 --- a/src/SecurityCheckPlugin.php +++ b/src/SecurityCheckPlugin.php @@ -160,6 +160,9 @@ public function onPackageEvent(PackageEvent $event) $im->addInstaller(new NoopInstaller); // TODO: Fake passes like in Installer::extractDevPackages() break things + // Ideally we should have the local repository being used in the event + // For now, blindly ignore exceptions. The noop installer throws only + // when a package is not installed. We'll assume it is in another context try { $im->execute($localRepo, $operations); } catch (\Exception $e) {} From 232650fd6eb033f3e613f9139e5c6dcdfa2dc2da Mon Sep 17 00:00:00 2001 From: Jeroen Vermeulen - MageHost Date: Mon, 26 Oct 2020 15:17:48 +0100 Subject: [PATCH 4/5] Improved composer.json and ReadMe --- README.md | 4 ++-- composer.json | 5 +---- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 02731fd..116e37f 100644 --- a/README.md +++ b/README.md @@ -13,13 +13,13 @@ Run these commands to see some sample behavior: mkdir insecure-project cd insecure-project composer init --name="insecure/project" --description="insecure project" -l MIT -n - composer require symfony/symfony:2.5.2 + composer require 3f/pygmentize:1.0 composer require fancyguy/composer-security-check-plugin composer audit composer audit --format=simple composer audit --format=json composer validate - composer require symfony/symfony --update-with-all-dependencies + composer require 3f/pygmentize --update-with-all-dependencies composer audit By default this tool uploads your `composer.lock` file to the [security.symfony.com](https://security.symfony.com/) webservice which uses the checks from https://github.com/FriendsOfPHP/security-advisories. diff --git a/composer.json b/composer.json index acc78e8..831f64f 100644 --- a/composer.json +++ b/composer.json @@ -31,13 +31,10 @@ "ext-curl": "*" }, "require-dev": { - "composer/composer": "^1.6", + "composer/composer": "^2.0", "phpunit/phpunit": "^7.2" }, "extra": { - "branch-alias": { - "dev-master": "1.2-dev" - }, "class": "FancyGuy\\Composer\\SecurityCheck\\SecurityCheckPlugin" } } From b2dbaee4c80f82b7e5c6cda1f88a47d867171218 Mon Sep 17 00:00:00 2001 From: Jeroen Vermeulen Date: Mon, 26 Oct 2020 15:21:37 +0100 Subject: [PATCH 5/5] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 116e37f..db23fe8 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Security Check Plugin for Composer +# Security Check Plugin for Composer 2.x For global install: