cancel
Showing results for 
Search instead for 
Did you mean: 

Composer security issues

0 Kudos

Composer security issues

Feature request from gamort, posted on GitHub Apr 20, 2016

The current documentation/implementation of composer allows for a large number of attack surfaces.

A "deployed" website[ie a website either installed using composer or a website which is installed from a downloaded zip file] should not have any need for the various development requirements - such as phpunit and other dev tools. Instead of requiring installers to remember to pass --no-dev to the commands - these options can be defined in the composer.json file [ie have a composer.json.dev and a composer.json.prod file - leave composer.json as it is in the github repository, but during the build process swap for the production/safer composer file].

By the same token, using the development version of vendor libraries adds yet more insecurity. A quick search for $_GET variables shows a large number of unsafe usages in the folder lusitanian/oauth/examples - with no fault to the library author. Examples and demo code do not need to be secure - it is expected that implementors would not deploy such code.

For the oath examples, they are protected by the htaccess files from direct access - however if Magento2 can be tricked into loading one that leads to security issues. Due to the reliance on the composer autoloading mechanisms such mischief is possible in theory.

3 Comments
Not applicable
Status changed to: Investigating
 
Not applicable

Comment from buskamuza, posted on GitHub Apr 20, 2016

Hi @gamort , thanks for reporting it. We're looking into the issue and your suggestions. Internal ticket is MAGETWO-52095

Not applicable

Comment from jameshalsall, posted on GitHub Apr 21, 2016

The composer --no-dev flag is designed exactly for this purpose, saying that you shouldn't have to require the installer to pass that option when building for production is nonsense.

Example code in the vendor library isn't a security issue over HTTP unless you're including / executing it as part of your Magento store.