diff --git a/composer.lock b/composer.lock index de138e971..0e88b76cd 100644 --- a/composer.lock +++ b/composer.lock @@ -1959,16 +1959,16 @@ "packages-dev": [ { "name": "phpstan/phpstan", - "version": "1.8.8", + "version": "1.8.9", "source": { "type": "git", "url": "https://github.com/phpstan/phpstan.git", - "reference": "08310ce271984587e2a4cda94e1ac66510a6ea07" + "reference": "3a72d9d9f2528fbd50c2d8fcf155fd9f74ade3f2" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phpstan/phpstan/zipball/08310ce271984587e2a4cda94e1ac66510a6ea07", - "reference": "08310ce271984587e2a4cda94e1ac66510a6ea07", + "url": "https://api.github.com/repos/phpstan/phpstan/zipball/3a72d9d9f2528fbd50c2d8fcf155fd9f74ade3f2", + "reference": "3a72d9d9f2528fbd50c2d8fcf155fd9f74ade3f2", "shasum": "" }, "require": { @@ -1998,7 +1998,7 @@ ], "support": { "issues": "https://github.com/phpstan/phpstan/issues", - "source": "https://github.com/phpstan/phpstan/tree/1.8.8" + "source": "https://github.com/phpstan/phpstan/tree/1.8.9" }, "funding": [ { @@ -2014,7 +2014,7 @@ "type": "tidelift" } ], - "time": "2022-10-06T12:51:57+00:00" + "time": "2022-10-13T13:40:18+00:00" }, { "name": "phpstan/phpstan-deprecation-rules", diff --git a/doc/faqs/how-to-install-untrusted-packages-safely.md b/doc/faqs/how-to-install-untrusted-packages-safely.md index b59fb2c38..d39b16f25 100644 --- a/doc/faqs/how-to-install-untrusted-packages-safely.md +++ b/doc/faqs/how-to-install-untrusted-packages-safely.md @@ -1,5 +1,21 @@ # How do I install untrusted packages safely? Is it safe to run Composer as superuser or root? +## Why am I seeing a "Do not run Composer as root/super user" warning/error? + +It was always discouraged to run Composer as root for the reasons detailed below. + +As of Composer 2.4.2, plugins are disabled automatically when running as root and +there is no sign that the user is consciously doing this. There are two ways this user consent +can be given: + +- If you run interactively, Composer will prompt if you are sure that you want to continue + running as root. If non-interactive plugins will be disabled, unless.. +- If you set the [COMPOSER_ALLOW_SUPERUSER](../03-cli.md#composer-allow-superuser) environment + variable to `1`, this also indicates that you intended to run Composer as root and are accepting + the risks of doing so. + +## Is it safe to run Composer as superuser or root? + Certain Composer commands, including `exec`, `install`, and `update` allow third party code to execute on your system. This is from its "plugins" and "scripts" features. Plugins and scripts have full access to the user account which runs Composer. For this reason, it is strongly advised to @@ -21,5 +37,5 @@ to install untrusted dependencies you should sandbox them completely in a contai Also note that the `exec` command will always run third party code as the user which runs `composer`. -See [Environment variable - COMPOSER_ALLOW_SUPERUSER](../03-cli.md#composer-allow-superuser) -for more info on how to disable warning +See the [COMPOSER_ALLOW_SUPERUSER](../03-cli.md#composer-allow-superuser) environment variable for +more info on how to disable the warnings. diff --git a/src/Composer/Command/RequireCommand.php b/src/Composer/Command/RequireCommand.php index 6ce7a0c69..241654f8e 100644 --- a/src/Composer/Command/RequireCommand.php +++ b/src/Composer/Command/RequireCommand.php @@ -14,6 +14,7 @@ namespace Composer\Command; use Composer\DependencyResolver\Request; use Composer\Package\CompletePackageInterface; +use Composer\Package\Loader\RootPackageLoader; use Composer\Util\Filesystem; use Composer\Util\PackageSorter; use Seld\Signal\SignalHandler; @@ -410,6 +411,15 @@ EOT } $rootPackage->setRequires($links['require']); $rootPackage->setDevRequires($links['require-dev']); + + // extract stability flags & references as they weren't present when loading the unmodified composer.json + $references = $rootPackage->getReferences(); + $references = RootPackageLoader::extractReferences($requirements, $references); + $rootPackage->setReferences($references); + $stabilityFlags = $rootPackage->getStabilityFlags(); + $stabilityFlags = RootPackageLoader::extractStabilityFlags($requirements, $rootPackage->getMinimumStability(), $stabilityFlags); + $rootPackage->setStabilityFlags($stabilityFlags); + unset($stabilityFlags, $references); } $updateDevMode = !$input->getOption('update-no-dev'); diff --git a/src/Composer/Console/Application.php b/src/Composer/Console/Application.php index 663e5287e..4cd51dc4b 100644 --- a/src/Composer/Console/Application.php +++ b/src/Composer/Console/Application.php @@ -288,6 +288,7 @@ class Application extends BaseApplication } if ($isNonAllowedRoot && !$io->isInteractive()) { + $io->writeError('Composer plugins have been disabled for safety in this non-interactive session. Set COMPOSER_ALLOW_SUPERUSER=1 if you want to allow plugins to run as root/super user.'); $this->disablePluginsByDefault = true; } diff --git a/src/Composer/Json/JsonFile.php b/src/Composer/Json/JsonFile.php index e850f5ec8..206ee662e 100644 --- a/src/Composer/Json/JsonFile.php +++ b/src/Composer/Json/JsonFile.php @@ -93,6 +93,9 @@ class JsonFile if ($this->httpDownloader) { $json = $this->httpDownloader->get($this->path)->getBody(); } else { + if (!is_readable($this->path)) { + throw new \RuntimeException('The file "'.$this->path.'" is not readable.'); + } if ($this->io && $this->io->isDebug()) { $realpathInfo = ''; $realpath = realpath($this->path); @@ -190,6 +193,9 @@ class JsonFile */ public function validateSchema(int $schema = self::STRICT_SCHEMA, ?string $schemaFile = null): bool { + if (!is_readable($this->path)) { + throw new \RuntimeException('The file "'.$this->path.'" is not readable.'); + } $content = file_get_contents($this->path); $data = json_decode($content);