From 03fbcdbf0722149d0ccba68474d2c0838ccd1c8d Mon Sep 17 00:00:00 2001 From: Chris Reed <55092742+cjreed121@users.noreply.github.com> Date: Fri, 10 Jun 2022 15:56:11 -0400 Subject: [PATCH 1/3] Fix exported path with space in binary installer proxy (#10836) --- src/Composer/Installer/BinaryInstaller.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Composer/Installer/BinaryInstaller.php b/src/Composer/Installer/BinaryInstaller.php index a96bfce0a..46c2f83dd 100644 --- a/src/Composer/Installer/BinaryInstaller.php +++ b/src/Composer/Installer/BinaryInstaller.php @@ -437,7 +437,7 @@ if [ -d /proc/cygdrive ]; then esac fi -export COMPOSER_RUNTIME_BIN_DIR=\$(cd "\${self%[/\\\\]*}" > /dev/null; pwd) +export COMPOSER_RUNTIME_BIN_DIR="\$(cd "\${self%[/\\\\]*}" > /dev/null; pwd)" # If bash is sourcing this file, we have to source the target as well bashSource="\$BASH_SOURCE" From 14476ec2a633739fa192d16861a4847c153ccf55 Mon Sep 17 00:00:00 2001 From: naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Fri, 10 Jun 2022 00:30:11 +0000 Subject: [PATCH 2/3] chore: Set permissions for GitHub actions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/continuous-integration.yml | 3 +++ .github/workflows/lint.yml | 3 +++ .github/workflows/phpstan.yml | 3 +++ 3 files changed, 9 insertions(+) diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 76da0e4fe..d5258667a 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -12,6 +12,9 @@ env: COMPOSER_FLAGS: "--ansi --no-interaction --no-progress --prefer-dist" COMPOSER_UPDATE_FLAGS: "" +permissions: + contents: read + jobs: tests: name: "CI" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 3058417b3..23c84d71d 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -8,6 +8,9 @@ on: paths-ignore: - 'doc/**' +permissions: + contents: read + jobs: tests: name: "Lint" diff --git a/.github/workflows/phpstan.yml b/.github/workflows/phpstan.yml index 849c2cb1f..c05edab82 100644 --- a/.github/workflows/phpstan.yml +++ b/.github/workflows/phpstan.yml @@ -12,6 +12,9 @@ env: COMPOSER_FLAGS: "--ansi --no-interaction --no-progress --prefer-dist" SYMFONY_PHPUNIT_VERSION: "" +permissions: + contents: read + jobs: tests: name: "PHPStan" From 5c68c2c86d837682e29562ea5a87871b67a57b85 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Wed, 22 Jun 2022 08:50:55 +0200 Subject: [PATCH 3/3] Fix case where branches cannot be listed in GitDownloader, fixes #10888 --- src/Composer/Downloader/GitDownloader.php | 4 ++-- src/Composer/Util/AuthHelper.php | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/Composer/Downloader/GitDownloader.php b/src/Composer/Downloader/GitDownloader.php index 33ff7922a..2866ae59d 100644 --- a/src/Composer/Downloader/GitDownloader.php +++ b/src/Composer/Downloader/GitDownloader.php @@ -458,7 +458,7 @@ class GitDownloader extends VcsDownloader implements DvcsDownloaderInterface // check whether non-commitish are branches or tags, and fetch branches with the remote name $gitRef = $reference; if (!Preg::isMatch('{^[a-f0-9]{40}$}', $reference) - && $branches + && null !== $branches && Preg::isMatch('{^\s+composer/'.preg_quote($reference).'$}m', $branches) ) { $command = sprintf('git checkout '.$force.'-B %s %s -- && git reset --hard %2$s --', ProcessExecutor::escape($branch), ProcessExecutor::escape('composer/'.$reference)); @@ -470,7 +470,7 @@ class GitDownloader extends VcsDownloader implements DvcsDownloaderInterface // try to checkout branch by name and then reset it so it's on the proper branch name if (Preg::isMatch('{^[a-f0-9]{40}$}', $reference)) { // add 'v' in front of the branch if it was stripped when generating the pretty name - if (!Preg::isMatch('{^\s+composer/'.preg_quote($branch).'$}m', $branches) && Preg::isMatch('{^\s+composer/v'.preg_quote($branch).'$}m', $branches)) { + if (null !== $branches && !Preg::isMatch('{^\s+composer/'.preg_quote($branch).'$}m', $branches) && Preg::isMatch('{^\s+composer/v'.preg_quote($branch).'$}m', $branches)) { $branch = 'v' . $branch; } diff --git a/src/Composer/Util/AuthHelper.php b/src/Composer/Util/AuthHelper.php index 305746f17..71019803c 100644 --- a/src/Composer/Util/AuthHelper.php +++ b/src/Composer/Util/AuthHelper.php @@ -192,9 +192,9 @@ class AuthHelper // fail if the console is not interactive if (!$this->io->isInteractive()) { if ($statusCode === 401) { - $message = "The '" . $url . "' URL required authentication.\nYou must be using the interactive console to authenticate"; + $message = "The '" . $url . "' URL required authentication (HTTP 401).\nYou must be using the interactive console to authenticate"; } elseif ($statusCode === 403) { - $message = "The '" . $url . "' URL could not be accessed: " . $reason; + $message = "The '" . $url . "' URL could not be accessed (HTTP 403): " . $reason; } else { $message = "Unknown error code '" . $statusCode . "', reason: " . $reason; } @@ -210,7 +210,7 @@ class AuthHelper return array('retry' => true, 'storeAuth' => false); } - throw new TransportException("Invalid credentials for '" . $url . "', aborting.", $statusCode); + throw new TransportException("Invalid credentials (HTTP $statusCode) for '$url', aborting.", $statusCode); } $this->io->writeError(' Authentication required ('.$origin.'):');