Bah*_*mas 4 php git-tag composer-php
在我的项目中,我检查了github上的composer.lock文件。假设我需要在 composer.json 中有一个健康的依赖项,例如:
"require": {
"foo/bar": "v3.0"
},
在我调用composer install之后,会创建一个 composer.lock 文件。
"packages": [
{
"name": "foo/bar",
"version": "v3.0",
"source": {
"type": "git",
"url": "https://github.com/foo/bar.git",
"reference": "bbafb0edb791b23220563d113d00371ea42aedaa"
},
"type": "project",
"license": [
"MIT"
],
"authors": [
{
"name": "Mr.Foo",
"email": "mr.foo@bar.de"
}
],
"time": "2019-09-30T12:13:55+00:00"
}
假设拥有 foo/bar 存储库的攻击者将删除 v3.0 标签。攻击者会为 v3.0 命名一个不同的提交。有人可以确认composer install将始终检查 composer.lock 安装依赖项吗?如果我在没有composer.lock文件的情况下运行composer install,composer 将创建一个带有新引用(提交 ID)的新 .lock 文件。如果我使用composer.lock文件运行composer install,composer 将坚持提交 ID(“reference”:“bbafb0edb791b23220563d113d00371ea42aedaa”,旧版 v3.0)。Composer 不会加载恶意伪造 v3.0。v3.0 指向 github 上的新提交 ID。
有人可以确认 composer.lock 的引用标签比版本标签具有“更高的优先级”吗?composer 是否完全保护我的项目免受这些类型的攻击?
毫无疑问,你的问题的答案是:
是的,作曲家会保护你
要么它会根据你的 中声明的提交哈希安装包composer.lock,如果它存在于存储库中,只是忽略提交和版本之间的不匹配,要么它会因为一个非常直截了当的原因而失败:“历史被重写? ”
这个问题确实激起了我的好奇心:我会说是的,否则,锁定锁定文件中的提交哈希将毫无用处,但为了正确性,我不得不对其进行测试。
所以这就是我所做的:
composer.json约束匹配的提交我安装了一个基本包,到某个特定版本(不是最新的,只是为了有一个版本限制):
$ composer require psr/log:1.0.0
这让我最终得到了这个非常简单的结果 composer.json
{
"require": {
"psr/log": "1.0.0"
}
}
和这个 composer.lock
{
"_readme": [
"This file locks the dependencies of your project to a known state",
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "2865f724e23cffb23b3afd3a968e0359",
"packages": [
{
"name": "psr/log",
"version": "1.0.0",
"source": {
"type": "git",
"url": "https://github.com/php-fig/log.git",
"reference": "fe0936ee26643249e916849d48e3a51d5f5e278b"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/php-fig/log/zipball/fe0936ee26643249e916849d48e3a51d5f5e278b",
"reference": "fe0936ee26643249e916849d48e3a51d5f5e278b",
"shasum": ""
},
"type": "library",
"autoload": {
"psr-0": {
"Psr\\Log\\": ""
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "PHP-FIG",
"homepage": "http://www.php-fig.org/"
}
],
"description": "Common interface for logging libraries",
"keywords": [
"log",
"psr",
"psr-3"
],
"time": "2012-12-21T11:40:51+00:00"
}
],
"packages-dev": [],
"aliases": [],
"minimum-stability": "stable",
"stability-flags": [],
"prefer-stable": false,
"prefer-lowest": false,
"platform": [],
"platform-dev": []
}
然后为了测试它,我只是改变了提交哈希fe0936ee26643249e916849d48e3a51d5f5e278b,我可以在composer.lock一个字符中找到它:(fe0936ee26643249e916849d48e3a51d5f5e278c最后一个b变成了c);以此结尾composer.lock:
{
"_readme": [
"This file locks the dependencies of your project to a known state",
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "2865f724e23cffb23b3afd3a968e0359",
"packages": [
{
"name": "psr/log",
"version": "1.0.0",
"source": {
"type": "git",
"url": "https://github.com/php-fig/log.git",
"reference": "fe0936ee26643249e916849d48e3a51d5f5e278c"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/php-fig/log/zipball/fe0936ee26643249e916849d48e3a51d5f5e278c",
"reference": "fe0936ee26643249e916849d48e3a51d5f5e278c",
"shasum": ""
},
"type": "library",
"autoload": {
"psr-0": {
"Psr\\Log\\": ""
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "PHP-FIG",
"homepage": "http://www.php-fig.org/"
}
],
"description": "Common interface for logging libraries",
"keywords": [
"log",
"psr",
"psr-3"
],
"time": "2012-12-21T11:40:51+00:00"
}
],
"packages-dev": [],
"aliases": [],
"minimum-stability": "stable",
"stability-flags": [],
"prefer-stable": false,
"prefer-lowest": false,
"platform": [],
"platform-dev": []
}
请注意:如果您在浏览器中尝试此操作,因为 Composer 稍后会为您执行此操作,您将得到一个 404 页面:https : //api.github.com/repos/php-fig/log/zipball/fe0936ee26643249e916849d48e3a51d5f5e278c
vendor为此,我删除了我的文件夹:
$ rm -Rf vendor
然后,重新运行依赖项安装,以以下输出结束:
$ composer install
Loading composer repositories with package information
Installing dependencies (including require-dev) from lock file
Package operations: 1 install, 0 updates, 0 removals
- Installing psr/log (1.0.0): Downloading (0%) Failed to download psr/log from dist: The "https://codeload.github.com/php-fig/log/legacy.zip/fe0936ee26643249e916849d48e3a51d5f5e278c" file could not be downloaded (HTTP/1.1 404 Not Found)
Now trying to download from source
- Installing psr/log (1.0.0): Cloning fe0936ee26 from cache
fe0936ee26643249e916849d48e3a51d5f5e278c is gone (history was rewritten?)
[RuntimeException]
Failed to execute git checkout 'fe0936ee26643249e916849d48e3a51d5f5e278c' -- && git reset --hard 'fe0936ee26643249e916849d48e3a51d
5f5e278c' --
fatal: reference is not a tree: fe0936ee26643249e916849d48e3a51d5f5e278c
install [--prefer-source] [--prefer-dist] [--dry-run] [--dev] [--no-dev] [--no-custom-installers] [--no-autoloader] [--no-scripts] [--no-progress] [--no-suggest] [-v|vv|vvv|--verbose] [-o|--optimize-autoloader] [-a|--classmap-authoritative] [--apcu-autoloader] [--ignore-platform-reqs] [--] [<packages>]...
如果你只有一行来读出这个输出,那就是:
fe0936ee26643249e916849d48e3a51d5f5e278c 不见了(历史被改写了?)
这次在php-fig/log的repository做了一点挖掘,找到了repository的初始提交:https : //github.com/php-fig/log/commit/a7ab552fdb2efb80aeca09da3bbd9335fc945ff0
并且,以同样的方式,我编辑了我的composer.lock,但这次伪造了一个事实,即 repo 的初始提交是标记的那个1.0.0,而它显然不是。
这让我得到了这个 composer.lock
{
"_readme": [
"This file locks the dependencies of your project to a known state",
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "2865f724e23cffb23b3afd3a968e0359",
"packages": [
{
"name": "psr/log",
"version": "1.0.0",
"source": {
"type": "git",
"url": "https://github.com/php-fig/log.git",
"reference": "a7ab552fdb2efb80aeca09da3bbd9335fc945ff0"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/php-fig/log/zipball/a7ab552fdb2efb80aeca09da3bbd9335fc945ff0",
"reference": "a7ab552fdb2efb80aeca09da3bbd9335fc945ff0",
"shasum": ""
},
"type": "library",
"autoload": {
"psr-0": {
"Psr\\Log\\": ""
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "PHP-FIG",
"homepage": "http://www.php-fig.org/"
}
],
"description": "Common interface for logging libraries",
"keywords": [
"log",
"psr",
"psr-3"
],
"time": "2012-12-21T11:40:51+00:00"
}
],
"packages-dev": [],
"aliases": [],
"minimum-stability": "stable",
"stability-flags": [],
"prefer-stable": false,
"prefer-lowest": false,
"platform": [],
"platform-dev": []
}
请注意:这次尝试,将下载包含存储库状态的 zip,就像它在初始提交时一样:https : //api.github.com/repos/php-fig/log/zipball/a7ab552fdb2efb80aeca09da3bbd9335fc945ff0
重复以上删除vendor文件夹
$ rm -Rf vendor
也清除了composer缓存,这一次,因为剧透警告,安装会成功:
$ composer clearcache && rm -Rf vendor
Clearing cache (cache-vcs-dir): /tmp/cache/vcs
Clearing cache (cache-repo-dir): /tmp/cache/repo
Clearing cache (cache-files-dir): /tmp/cache/files
Clearing cache (cache-dir): /tmp/cache
All caches cleared.
然后,重新运行依赖项安装,以以下输出结束:
$ composer install
Loading composer repositories with package information
Installing dependencies (including require-dev) from lock file
Package operations: 1 install, 0 updates, 0 removals
- Installing psr/log (1.0.0): Downloading (100%)
Generating autoload files
出于对安装效果的好奇,我重新运行了这个过程,更详细地,以了解 Composer 真正在做什么:
$ rm -Rf vendor/ && composer clearcache && composer install -vvv
Cache directory does not exist (cache-vcs-dir):
Clearing cache (cache-repo-dir): /tmp/cache/repo
Clearing cache (cache-files-dir): /tmp/cache/files
Clearing cache (cache-dir): /tmp/cache
All caches cleared.
Reading ./composer.json
Loading config file ./composer.json
Checked CA file /etc/ssl/certs/ca-certificates.crt: valid
Executing command (/app): git branch --no-color --no-abbrev -v
Executing command (/app): git describe --exact-match --tags
Executing command (/app): git log --pretty="%H" -n1 HEAD
Executing command (/app): hg branch
Executing command (/app): fossil branch list
Executing command (/app): fossil tag list
Executing command (/app): svn info --xml
Failed to initialize global composer: Composer could not find the config file: /tmp/composer.json
To initialize a project, please create a composer.json file as described in the https://getcomposer.org/ "Getting Started" section
Running 1.8.6 (2019-06-11 15:03:05) with PHP 7.3.8 on Linux / 4.9.184-linuxkit
Reading ./composer.lock
Loading composer repositories with package information
Installing dependencies (including require-dev) from lock file
Reading ./composer.lock
Resolving dependencies through SAT
Looking at all rules.
Dependency resolution completed in 0.000 seconds
Analyzed 43 packages to resolve dependencies
Analyzed 43 rules to resolve dependencies
Package operations: 1 install, 0 updates, 0 removals
Installs: psr/log:1.0.0
- Installing psr/log (1.0.0): Downloading https://api.github.com/repos/php-fig/log/zipball/a7ab552fdb2efb80aeca09da3bbd9335fc945ff0
Downloading (connecting...)
Following redirect (2) https://codeload.github.com/php-fig/log/legacy.zip/a7ab552fdb2efb80aeca09da3bbd9335fc945ff0
Downloading https://codeload.github.com/php-fig/log/legacy.zip/a7ab552fdb2efb80aeca09da3bbd9335fc945ff0
Downloading (100%)Writing /tmp/cache/files/psr/log/6e79f232da13c50e0fd07e74eb2d58c350e71a60.zip into cache from /app/vendor/psr/log/4ff496e542e24af2efd56eaf051e132b
Extracting archiveExecuting command (CWD): unzip -qq '/app/vendor/psr/log/4ff496e542e24af2efd56eaf051e132b' -d '/app/vendor/composer/9c2feb29'
REASON: Required by the root package: Install command rule (install psr/log 1.0.0)
Generating autoload files
您可以在哪里看到它在提交哈希处安装库a7ab552fdb2efb80aeca09da3bbd9335fc945ff0,请相信composer.lock这样做的说明。
- 安装 psr/log (1.0.0):下载https://api.github.com/repos/php-fig/log/zipball/a7ab552fdb2efb80aeca09da3bbd9335fc945ff0
存在这样的,因为锁文件说,这犯的事实疑难杂症的版本1.0.0它提示我,它安装包的那个版本,但是这是一个小问题。