【问题标题】:How does composer.lock protects your project of malicious dependenciescomposer.lock 如何保护你的项目的恶意依赖
【发布时间】:2020-01-29 19:03:45
【问题描述】:

在我的项目中,我签入了 github 上的 composer.lock 文件。 假设我需要 composer.json 中的健康依赖项,例如:

"require": {
    "foo/bar": "v3.0"
  },

在我调用 composer install 后,一个 composer.lock 文件被创建。

"packages": [
        {
            "name": "foo/bar",
            "version": "v3.0",
            "source": {
                "type": "git",
                "url": "https://github.com/foo/bar.git",
                "reference": "bbafb0edb791b23220563d113d00371ea42aedaa"
            },
            "type": "project",
            "license": [
                "MIT"
            ],
            "authors": [
                {
                    "name": "Mr.Foo",
                    "email": "mr.foo@bar.de"
                }
            ],
            "time": "2019-09-30T12:13:55+00:00"
        }

假设拥有 foo/bar 存储库的攻击者将删除 v3.0 标记。攻击者将命名为 v3.0 的不同提交。 有人可以确认 composer install 将始终检查 composer.lock 安装依赖项吗? 如果我在没有 composer.lock 文件的情况下运行 composer install,composer 将创建一个带有新引用(提交 ID)的新 .lock 文件。如果我使用 composer.lock 文件运行 composer install,composer 将坚持提交 ID(“reference”:“bbafb0edb791b23220563d113d00371ea42aedaa”,旧 v3.0)。 Composer 不会加载恶意伪造的 v3.0。 v3.0 指向 github 上的新提交 id。

有人可以确认 composer.lock 的 reference 标签比 version 标签具有“更高的优先级”吗? composer 是否完全保护我的项目免受此类攻击?

【问题讨论】:

    标签: php composer-php git-tag


    【解决方案1】:

    TL;DR;

    当然,你的问题的答案是:

    是的,作曲家会保护你

    要么它会根据你composer.lock 中声明的提交哈希安装软件包,如果它存在于存储库中,只需忽略提交和版本之间的不匹配,要么它会失败,原因很简单: “历史被改写了吗?”


    这个问题确实激起了我的好奇心:我会说是的,因为否则,将提交哈希锁定在锁定文件中将毫无用处,但为了正确起见,我必须对其进行测试。

    这就是我所做的:

    1. 存在“明显”的场景,攻击者会真正重写历史记录并删除标签与您的composer.json 约束匹配的提交
    2. 再想一想,还有一种情况是,攻击者会保留标记为您的约束的提交,但会添加一个较新的提交并使用与您的约束匹配的标签重新标记新提交

    第一个场景:

    我安装了一个基本包,到某个特定版本(不是最新的,只是为了有一个版本限制):

    $ composer require psr/log:1.0.0
    

    这让我最终得到了这个非常简单的composer.json

    {
        "require": {
            "psr/log": "1.0.0"
        }
    }
    

    还有这个composer.lock

    {
        "_readme": [
            "This file locks the dependencies of your project to a known state",
            "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
            "This file is @generated automatically"
        ],
        "content-hash": "2865f724e23cffb23b3afd3a968e0359",
        "packages": [
            {
                "name": "psr/log",
                "version": "1.0.0",
                "source": {
                    "type": "git",
                    "url": "https://github.com/php-fig/log.git",
                    "reference": "fe0936ee26643249e916849d48e3a51d5f5e278b"
                },
                "dist": {
                    "type": "zip",
                    "url": "https://api.github.com/repos/php-fig/log/zipball/fe0936ee26643249e916849d48e3a51d5f5e278b",
                    "reference": "fe0936ee26643249e916849d48e3a51d5f5e278b",
                    "shasum": ""
                },
                "type": "library",
                "autoload": {
                    "psr-0": {
                        "Psr\\Log\\": ""
                    }
                },
                "notification-url": "https://packagist.org/downloads/",
                "license": [
                    "MIT"
                ],
                "authors": [
                    {
                        "name": "PHP-FIG",
                        "homepage": "http://www.php-fig.org/"
                    }
                ],
                "description": "Common interface for logging libraries",
                "keywords": [
                    "log",
                    "psr",
                    "psr-3"
                ],
                "time": "2012-12-21T11:40:51+00:00"
            }
        ],
        "packages-dev": [],
        "aliases": [],
        "minimum-stability": "stable",
        "stability-flags": [],
        "prefer-stable": false,
        "prefer-lowest": false,
        "platform": [],
        "platform-dev": []
    }
    

    然后为了测试它,我只是将提交哈希 fe0936ee26643249e916849d48e3a51d5f5e278b 更改了一个字符:fe0936ee26643249e916849d48e3a51d5f5e278c(最后一个 b 变成了 c);以composer.lock结尾:

    {
        "_readme": [
            "This file locks the dependencies of your project to a known state",
            "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
            "This file is @generated automatically"
        ],
        "content-hash": "2865f724e23cffb23b3afd3a968e0359",
        "packages": [
            {
                "name": "psr/log",
                "version": "1.0.0",
                "source": {
                    "type": "git",
                    "url": "https://github.com/php-fig/log.git",
                    "reference": "fe0936ee26643249e916849d48e3a51d5f5e278c"
                },
                "dist": {
                    "type": "zip",
                    "url": "https://api.github.com/repos/php-fig/log/zipball/fe0936ee26643249e916849d48e3a51d5f5e278c",
                    "reference": "fe0936ee26643249e916849d48e3a51d5f5e278c",
                    "shasum": ""
                },
                "type": "library",
                "autoload": {
                    "psr-0": {
                        "Psr\\Log\\": ""
                    }
                },
                "notification-url": "https://packagist.org/downloads/",
                "license": [
                    "MIT"
                ],
                "authors": [
                    {
                        "name": "PHP-FIG",
                        "homepage": "http://www.php-fig.org/"
                    }
                ],
                "description": "Common interface for logging libraries",
                "keywords": [
                    "log",
                    "psr",
                    "psr-3"
                ],
                "time": "2012-12-21T11:40:51+00:00"
            }
        ],
        "packages-dev": [],
        "aliases": [],
        "minimum-stability": "stable",
        "stability-flags": [],
        "prefer-stable": false,
        "prefer-lowest": false,
        "platform": [],
        "platform-dev": []
    }
    

    请注意:如果您在浏览器中尝试此操作,因为 composer 稍后会为您执行此操作,您最终会得到一个 404 页面:https://api.github.com/repos/php-fig/log/zipball/fe0936ee26643249e916849d48e3a51d5f5e278c

    为此,我删除了我的 vendor 文件夹:

    $ rm -Rf vendor
    

    然后,重新运行依赖项安装,以以下输出结束:

    $ composer install
    Loading composer repositories with package information
    Installing dependencies (including require-dev) from lock file
    Package operations: 1 install, 0 updates, 0 removals
      - Installing psr/log (1.0.0): Downloading (0%)    Failed to download psr/log from dist: The "https://codeload.github.com/php-fig/log/legacy.zip/fe0936ee26643249e916849d48e3a51d5f5e278c" file could not be downloaded (HTTP/1.1 404 Not Found)
        Now trying to download from source
      - Installing psr/log (1.0.0): Cloning fe0936ee26 from cache
        fe0936ee26643249e916849d48e3a51d5f5e278c is gone (history was rewritten?)
    
    
      [RuntimeException]                                                                                                                  
      Failed to execute git checkout 'fe0936ee26643249e916849d48e3a51d5f5e278c' -- && git reset --hard 'fe0936ee26643249e916849d48e3a51d  
      5f5e278c' --                                                                                                                        
    
      fatal: reference is not a tree: fe0936ee26643249e916849d48e3a51d5f5e278c                                                            
    
    
    install [--prefer-source] [--prefer-dist] [--dry-run] [--dev] [--no-dev] [--no-custom-installers] [--no-autoloader] [--no-scripts] [--no-progress] [--no-suggest] [-v|vv|vvv|--verbose] [-o|--optimize-autoloader] [-a|--classmap-authoritative] [--apcu-autoloader] [--ignore-platform-reqs] [--] [<packages>]...
    

    如果你只有一行可以读出这个输出,那就是:

    fe0936ee26643249e916849d48e3a51d5f5e278c 没了(历史被改写了?)

    第二种情况:

    这次我在php-fig/log的仓库中做了一点挖掘,找到了仓库的初始提交:https://github.com/php-fig/log/commit/a7ab552fdb2efb80aeca09da3bbd9335fc945ff0

    并且,以同样的方式,我编辑了我的composer.lock,但这一次伪造了这样一个事实,即回购的初始提交是标记为1.0.0的那个,而实际上它是obviously not

    这给了我composer.lock

    {
        "_readme": [
            "This file locks the dependencies of your project to a known state",
            "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
            "This file is @generated automatically"
        ],
        "content-hash": "2865f724e23cffb23b3afd3a968e0359",
        "packages": [
            {
                "name": "psr/log",
                "version": "1.0.0",
                "source": {
                    "type": "git",
                    "url": "https://github.com/php-fig/log.git",
                    "reference": "a7ab552fdb2efb80aeca09da3bbd9335fc945ff0"
                },
                "dist": {
                    "type": "zip",
                    "url": "https://api.github.com/repos/php-fig/log/zipball/a7ab552fdb2efb80aeca09da3bbd9335fc945ff0",
                    "reference": "a7ab552fdb2efb80aeca09da3bbd9335fc945ff0",
                    "shasum": ""
                },
                "type": "library",
                "autoload": {
                    "psr-0": {
                        "Psr\\Log\\": ""
                    }
                },
                "notification-url": "https://packagist.org/downloads/",
                "license": [
                    "MIT"
                ],
                "authors": [
                    {
                        "name": "PHP-FIG",
                        "homepage": "http://www.php-fig.org/"
                    }
                ],
                "description": "Common interface for logging libraries",
                "keywords": [
                    "log",
                    "psr",
                    "psr-3"
                ],
                "time": "2012-12-21T11:40:51+00:00"
            }
        ],
        "packages-dev": [],
        "aliases": [],
        "minimum-stability": "stable",
        "stability-flags": [],
        "prefer-stable": false,
        "prefer-lowest": false,
        "platform": [],
        "platform-dev": []
    }
    

    请注意: 这次尝试,将下载包含存储库状态的 zip,因为它在初始提交时:https://api.github.com/repos/php-fig/log/zipball/a7ab552fdb2efb80aeca09da3bbd9335fc945ff0

    重复上述删除vendor文件夹

    $ rm -Rf vendor
    

    清除作曲家缓存,这一次,因为,剧透警告,安装成功:

    $ composer clearcache && rm -Rf vendor
    Clearing cache (cache-vcs-dir): /tmp/cache/vcs
    Clearing cache (cache-repo-dir): /tmp/cache/repo
    Clearing cache (cache-files-dir): /tmp/cache/files
    Clearing cache (cache-dir): /tmp/cache
    All caches cleared.
    

    然后,重新运行依赖项安装,以以下输出结束:

    $ composer install
    Loading composer repositories with package information
    Installing dependencies (including require-dev) from lock file
    Package operations: 1 install, 0 updates, 0 removals
      - Installing psr/log (1.0.0): Downloading (100%)         
    Generating autoload files
    

    好奇安装过程与我的想象相去甚远,我重新运行该过程,更详细地了解作曲家真正在做什么:

    $ rm -Rf vendor/ && composer clearcache && composer install -vvv
    Cache directory does not exist (cache-vcs-dir): 
    Clearing cache (cache-repo-dir): /tmp/cache/repo
    Clearing cache (cache-files-dir): /tmp/cache/files
    Clearing cache (cache-dir): /tmp/cache
    All caches cleared.
    Reading ./composer.json
    Loading config file ./composer.json
    Checked CA file /etc/ssl/certs/ca-certificates.crt: valid
    Executing command (/app): git branch --no-color --no-abbrev -v
    Executing command (/app): git describe --exact-match --tags
    Executing command (/app): git log --pretty="%H" -n1 HEAD
    Executing command (/app): hg branch
    Executing command (/app): fossil branch list
    Executing command (/app): fossil tag list
    Executing command (/app): svn info --xml
    Failed to initialize global composer: Composer could not find the config file: /tmp/composer.json
    To initialize a project, please create a composer.json file as described in the https://getcomposer.org/ "Getting Started" section
    Running 1.8.6 (2019-06-11 15:03:05) with PHP 7.3.8 on Linux / 4.9.184-linuxkit
    Reading ./composer.lock
    Loading composer repositories with package information
    Installing dependencies (including require-dev) from lock file
    Reading ./composer.lock
    Resolving dependencies through SAT
    Looking at all rules.
    
    Dependency resolution completed in 0.000 seconds
    Analyzed 43 packages to resolve dependencies
    Analyzed 43 rules to resolve dependencies
    Package operations: 1 install, 0 updates, 0 removals
    Installs: psr/log:1.0.0
      - Installing psr/log (1.0.0): Downloading https://api.github.com/repos/php-fig/log/zipball/a7ab552fdb2efb80aeca09da3bbd9335fc945ff0
    Downloading (connecting...)
    Following redirect (2) https://codeload.github.com/php-fig/log/legacy.zip/a7ab552fdb2efb80aeca09da3bbd9335fc945ff0
    Downloading https://codeload.github.com/php-fig/log/legacy.zip/a7ab552fdb2efb80aeca09da3bbd9335fc945ff0
    Downloading (100%)Writing /tmp/cache/files/psr/log/6e79f232da13c50e0fd07e74eb2d58c350e71a60.zip into cache from /app/vendor/psr/log/4ff496e542e24af2efd56eaf051e132b
    
     Extracting archiveExecuting command (CWD): unzip -qq  '/app/vendor/psr/log/4ff496e542e24af2efd56eaf051e132b' -d '/app/vendor/composer/9c2feb29'
        REASON: Required by the root package: Install command rule (install psr/log 1.0.0)
    
    Generating autoload files
    

    您可以看到它在提交哈希a7ab552fdb2efb80aeca09da3bbd9335fc945ff0 处安装库,相信composer.lock 的说明会这样做。

    - 安装psr/log (1.0.0):正在下载https://api.github.com/repos/php-fig/log/zipball/a7ab552fdb2efb80aeca09da3bbd9335fc945ff0

    事实上有个问题,因为锁文件说这个提交版本1.0.0它提示我它安装了那个版本的包,但这是一个小问题.

    【讨论】:

    • 值得注意的是,对于 GitHub 来说是正确的(只要你信任 GitHub),但对于托管在不同位置的包来说,则不必如此。 Composer 不涉及任何校验和检查,它只是从composer.lock 中指定的 URL 下载 zip/repository - 如果您不信任网络或包托管,则存在 MITM 攻击或包篡改的风险。 stackoverflow.com/questions/26246143/…
    猜你喜欢
    • 2021-05-04
    • 2012-11-18
    • 2013-06-24
    • 2020-07-24
    • 1970-01-01
    • 2019-07-11
    • 2011-05-10
    • 1970-01-01
    • 2018-08-14
    相关资源
    最近更新 更多