在我的项目中,我在github上的composer.lock文件中签入。假设我需要composer.json中的健康依赖项,例如:
"require": {
"foo/bar": "v3.0"
},
我打电话给composer install之后,将创建一个composer.lock文件。
"packages": [
{
"name": "foo/bar",
"version": "v3.0",
"source": {
"type": "git",
"url": "https://github.com/foo/bar.git",
"reference": "bbafb0edb791b23220563d113d00371ea42aedaa"
},
"type": "project",
"license": [
"MIT"
],
"authors": [
{
"name": "Mr.Foo",
"email": "[email protected]"
}
],
"time": "2019-09-30T12:13:55+00:00"
}
假设拥有foo / bar信息库的攻击者将删除v3.0标签。然后,攻击者将对v3.0命名不同的提交。有人可以确认composer install将始终检查composer.lock安装依赖项吗?如果我在没有composer.lock文件的情况下运行composer install,则composer将使用新引用(提交ID)创建一个新的.lock文件。如果我使用composer.lock运行composer.install,文件编辑器将坚持提交ID(“ reference”:“ bbafb0edb791b23220563d113d00371ea42aedaa”,旧的v3.0)。 Composer不会加载恶意假冒v3.0。 v3.0指向github上的新提交ID。
有人可以确认composer.lock的reference标记比version标记具有“更高的优先级”吗?作曲家是否能完全保护我的项目免受此类攻击?
这个问题激起了我的好奇心。我会说是的,因为否则,将提交哈希锁定在锁定文件中将毫无用处,但是为了正确起见,我不得不对其进行测试。
所以这就是我所做的:
我安装了一个基本软件包,安装了某些特定版本(不是最新版本,只是为了限制版本):
$ composer require psr/log:1.0.0
这使我最终得到了非常简单的composer.json
{
"require": {
"psr/log": "1.0.0"
}
}
还有这个composer.lock
{
"_readme": [
"This file locks the dependencies of your project to a known state",
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "2865f724e23cffb23b3afd3a968e0359",
"packages": [
{
"name": "psr/log",
"version": "1.0.0",
"source": {
"type": "git",
"url": "https://github.com/php-fig/log.git",
"reference": "fe0936ee26643249e916849d48e3a51d5f5e278b"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/php-fig/log/zipball/fe0936ee26643249e916849d48e3a51d5f5e278b",
"reference": "fe0936ee26643249e916849d48e3a51d5f5e278b",
"shasum": ""
},
"type": "library",
"autoload": {
"psr-0": {
"Psr\\Log\\": ""
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "PHP-FIG",
"homepage": "http://www.php-fig.org/"
}
],
"description": "Common interface for logging libraries",
"keywords": [
"log",
"psr",
"psr-3"
],
"time": "2012-12-21T11:40:51+00:00"
}
],
"packages-dev": [],
"aliases": [],
"minimum-stability": "stable",
"stability-flags": [],
"prefer-stable": false,
"prefer-lowest": false,
"platform": [],
"platform-dev": []
}
然后进行测试,我只是在将要在fe0936ee26643249e916849d48e3a51d5f5e278b中找到它的提交哈希composer.lock更改了一个字符:fe0936ee26643249e916849d48e3a51d5f5e278c(最后一个b变成了c);以此composer.lock结尾:
{
"_readme": [
"This file locks the dependencies of your project to a known state",
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "2865f724e23cffb23b3afd3a968e0359",
"packages": [
{
"name": "psr/log",
"version": "1.0.0",
"source": {
"type": "git",
"url": "https://github.com/php-fig/log.git",
"reference": "fe0936ee26643249e916849d48e3a51d5f5e278c"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/php-fig/log/zipball/fe0936ee26643249e916849d48e3a51d5f5e278c",
"reference": "fe0936ee26643249e916849d48e3a51d5f5e278c",
"shasum": ""
},
"type": "library",
"autoload": {
"psr-0": {
"Psr\\Log\\": ""
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "PHP-FIG",
"homepage": "http://www.php-fig.org/"
}
],
"description": "Common interface for logging libraries",
"keywords": [
"log",
"psr",
"psr-3"
],
"time": "2012-12-21T11:40:51+00:00"
}
],
"packages-dev": [],
"aliases": [],
"minimum-stability": "stable",
"stability-flags": [],
"prefer-stable": false,
"prefer-lowest": false,
"platform": [],
"platform-dev": []
}
为此,我删除了vendor文件夹:
$ rm -Rf vendor
然后,重新运行从属安装,以以下输出结束:
$ composer install
Loading composer repositories with package information
Installing dependencies (including require-dev) from lock file
Package operations: 1 install, 0 updates, 0 removals
- Installing psr/log (1.0.0): Downloading (0%) Failed to download psr/log from dist: The "https://codeload.github.com/php-fig/log/legacy.zip/fe0936ee26643249e916849d48e3a51d5f5e278c" file could not be downloaded (HTTP/1.1 404 Not Found)
Now trying to download from source
- Installing psr/log (1.0.0): Cloning fe0936ee26 from cache
fe0936ee26643249e916849d48e3a51d5f5e278c is gone (history was rewritten?)
[RuntimeException]
Failed to execute git checkout 'fe0936ee26643249e916849d48e3a51d5f5e278c' -- && git reset --hard 'fe0936ee26643249e916849d48e3a51d
5f5e278c' --
fatal: reference is not a tree: fe0936ee26643249e916849d48e3a51d5f5e278c
install [--prefer-source] [--prefer-dist] [--dry-run] [--dev] [--no-dev] [--no-custom-installers] [--no-autoloader] [--no-scripts] [--no-progress] [--no-suggest] [-v|vv|vvv|--verbose] [-o|--optimize-autoloader] [-a|--classmap-authoritative] [--apcu-autoloader] [--ignore-platform-reqs] [--] [<packages>]...
因此,绝对是,您的问题的答案是:
是,作曲家将保护您] >>
并且很直接地用]表示>
]fe0936ee26643249e916849d48e3a51d5f5e278c不见了(历史已被重写?