From dc83ba93f3d8a35629f9a387632e8cd373a144d0 Mon Sep 17 00:00:00 2001 From: Ayesh Karunaratne Date: Sun, 7 Mar 2021 00:40:32 +0700 Subject: [PATCH 1/3] Update GitHub token pattern GitHub is updating the format of auth tokens from `a-z0-9` to `A-Za-z0-9` ([notice](https://github.blog/changelog/2021-03-04-authentication-token-format-updates/)). I'm not sure why `.` is allowed, but I dare not to remove it. In this PR, the token validation regex is updated to allow `A-Za-z0-9` instead of the current all lower-case `a-z` and disallowed `_`. --- src/Composer/IO/BaseIO.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Composer/IO/BaseIO.php b/src/Composer/IO/BaseIO.php index d9dbc2d6f..ec914f5f8 100644 --- a/src/Composer/IO/BaseIO.php +++ b/src/Composer/IO/BaseIO.php @@ -125,7 +125,7 @@ abstract class BaseIO implements IOInterface, LoggerInterface } foreach ($githubOauth as $domain => $token) { - if (!preg_match('{^[.a-z0-9]+$}', $token)) { + if (!preg_match('{^[.A-Za-z0-9_]+$}', $token)) { throw new \UnexpectedValueException('Your github oauth token for '.$domain.' contains invalid characters: "'.$token.'"'); } $this->checkAndSetAuthentication($domain, $token, 'x-oauth-basic'); From 54889ca1092e387418f917bcf520ef23d415e8a0 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Tue, 9 Mar 2021 21:37:43 +0100 Subject: [PATCH 2/3] Document GH token usage and also make sure we redact them in Process debug output, refs #9757 --- src/Composer/IO/BaseIO.php | 2 ++ src/Composer/Util/ProcessExecutor.php | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/Composer/IO/BaseIO.php b/src/Composer/IO/BaseIO.php index ec914f5f8..013597450 100644 --- a/src/Composer/IO/BaseIO.php +++ b/src/Composer/IO/BaseIO.php @@ -125,6 +125,8 @@ abstract class BaseIO implements IOInterface, LoggerInterface } foreach ($githubOauth as $domain => $token) { + // allowed chars for GH tokens are from https://github.blog/changelog/2021-03-04-authentication-token-format-updates/ + // plus dots which were at some point used for GH app integration tokens if (!preg_match('{^[.A-Za-z0-9_]+$}', $token)) { throw new \UnexpectedValueException('Your github oauth token for '.$domain.' contains invalid characters: "'.$token.'"'); } diff --git a/src/Composer/Util/ProcessExecutor.php b/src/Composer/Util/ProcessExecutor.php index cb935e0eb..cb1886e94 100644 --- a/src/Composer/Util/ProcessExecutor.php +++ b/src/Composer/Util/ProcessExecutor.php @@ -45,7 +45,8 @@ class ProcessExecutor { if ($this->io && $this->io->isDebug()) { $safeCommand = preg_replace_callback('{://(?P[^:/\s]+):(?P[^@\s/]+)@}i', function ($m) { - if (preg_match('{^[a-f0-9]{12,}$}', $m['user'])) { + // if the username looks like a long (12char+) hex string, or a modern github token (e.g. gp1_xxx) we obfuscate that + if (preg_match('{^([a-f0-9]{12,}|g[a-z]\d_[a-zA-Z0-9_]+)$}', $m['user'])) { return '://***:***@'; } From 17747181d08e93d6ba783161919a0a9068ed55ef Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Tue, 9 Mar 2021 23:00:17 +0100 Subject: [PATCH 3/3] Clarify behavior of name in VCS repo, closes #9752 --- src/Composer/Repository/VcsRepository.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/Composer/Repository/VcsRepository.php b/src/Composer/Repository/VcsRepository.php index 148f587d4..80d24f7a1 100644 --- a/src/Composer/Repository/VcsRepository.php +++ b/src/Composer/Repository/VcsRepository.php @@ -247,7 +247,7 @@ class VcsRepository extends ArrayRepository implements ConfigurableRepositoryInt continue; } - $tagPackageName = isset($data['name']) ? $data['name'] : $this->packageName; + $tagPackageName = $this->packageName ?: (isset($data['name']) ? $data['name'] : ''); if ($existingPackage = $this->findPackage($tagPackageName, $data['version_normalized'])) { if ($isVeryVerbose) { $this->io->writeError('Skipped tag '.$tag.', it conflicts with an another tag ('.$existingPackage->getPrettyVersion().') as both resolve to '.$data['version_normalized'].' internally'); @@ -386,6 +386,8 @@ class VcsRepository extends ArrayRepository implements ConfigurableRepositoryInt protected function preProcess(VcsDriverInterface $driver, array $data, $identifier) { // keep the name of the main identifier for all packages + // this ensures that a package can be renamed in one place and that all old tags + // will still be installable using that new name without requiring re-tagging $dataPackageName = isset($data['name']) ? $data['name'] : null; $data['name'] = $this->packageName ?: $dataPackageName;