From 80907cd75d039509c5edfbe8ef6a05f4de7a3d98 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Thu, 13 Oct 2022 14:07:06 +0200 Subject: [PATCH 1/5] Ensure files are readable before reading in JsonFile, fixes #11077 --- src/Composer/Json/JsonFile.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/Composer/Json/JsonFile.php b/src/Composer/Json/JsonFile.php index e850f5ec8..206ee662e 100644 --- a/src/Composer/Json/JsonFile.php +++ b/src/Composer/Json/JsonFile.php @@ -93,6 +93,9 @@ class JsonFile if ($this->httpDownloader) { $json = $this->httpDownloader->get($this->path)->getBody(); } else { + if (!is_readable($this->path)) { + throw new \RuntimeException('The file "'.$this->path.'" is not readable.'); + } if ($this->io && $this->io->isDebug()) { $realpathInfo = ''; $realpath = realpath($this->path); @@ -190,6 +193,9 @@ class JsonFile */ public function validateSchema(int $schema = self::STRICT_SCHEMA, ?string $schemaFile = null): bool { + if (!is_readable($this->path)) { + throw new \RuntimeException('The file "'.$this->path.'" is not readable.'); + } $content = file_get_contents($this->path); $data = json_decode($content); From 7e679f3da35956fd71e79895f4dd772aa10e9388 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Thu, 13 Oct 2022 16:17:30 +0200 Subject: [PATCH 2/5] Update phpstan --- composer.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/composer.lock b/composer.lock index 9e1be235c..759c17594 100644 --- a/composer.lock +++ b/composer.lock @@ -1959,16 +1959,16 @@ "packages-dev": [ { "name": "phpstan/phpstan", - "version": "1.8.8", + "version": "1.8.9", "source": { "type": "git", "url": "https://github.com/phpstan/phpstan.git", - "reference": "08310ce271984587e2a4cda94e1ac66510a6ea07" + "reference": "3a72d9d9f2528fbd50c2d8fcf155fd9f74ade3f2" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phpstan/phpstan/zipball/08310ce271984587e2a4cda94e1ac66510a6ea07", - "reference": "08310ce271984587e2a4cda94e1ac66510a6ea07", + "url": "https://api.github.com/repos/phpstan/phpstan/zipball/3a72d9d9f2528fbd50c2d8fcf155fd9f74ade3f2", + "reference": "3a72d9d9f2528fbd50c2d8fcf155fd9f74ade3f2", "shasum": "" }, "require": { @@ -1998,7 +1998,7 @@ ], "support": { "issues": "https://github.com/phpstan/phpstan/issues", - "source": "https://github.com/phpstan/phpstan/tree/1.8.8" + "source": "https://github.com/phpstan/phpstan/tree/1.8.9" }, "funding": [ { @@ -2014,7 +2014,7 @@ "type": "tidelift" } ], - "time": "2022-10-06T12:51:57+00:00" + "time": "2022-10-13T13:40:18+00:00" }, { "name": "phpstan/phpstan-deprecation-rules", From acddc1f5e4fa394bcea7dacba3b9200e6cb6a823 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Thu, 13 Oct 2022 16:29:08 +0200 Subject: [PATCH 3/5] Fix require failing to do a dry-run when requiring a package with a stability flag, fixes #11112 --- src/Composer/Command/RequireCommand.php | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/Composer/Command/RequireCommand.php b/src/Composer/Command/RequireCommand.php index 6ce7a0c69..241654f8e 100644 --- a/src/Composer/Command/RequireCommand.php +++ b/src/Composer/Command/RequireCommand.php @@ -14,6 +14,7 @@ namespace Composer\Command; use Composer\DependencyResolver\Request; use Composer\Package\CompletePackageInterface; +use Composer\Package\Loader\RootPackageLoader; use Composer\Util\Filesystem; use Composer\Util\PackageSorter; use Seld\Signal\SignalHandler; @@ -410,6 +411,15 @@ EOT } $rootPackage->setRequires($links['require']); $rootPackage->setDevRequires($links['require-dev']); + + // extract stability flags & references as they weren't present when loading the unmodified composer.json + $references = $rootPackage->getReferences(); + $references = RootPackageLoader::extractReferences($requirements, $references); + $rootPackage->setReferences($references); + $stabilityFlags = $rootPackage->getStabilityFlags(); + $stabilityFlags = RootPackageLoader::extractStabilityFlags($requirements, $rootPackage->getMinimumStability(), $stabilityFlags); + $rootPackage->setStabilityFlags($stabilityFlags); + unset($stabilityFlags, $references); } $updateDevMode = !$input->getOption('update-no-dev'); From bc93f734bc0b417d132d8d0d6a24cd3cd58264aa Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Thu, 13 Oct 2022 16:40:38 +0200 Subject: [PATCH 4/5] Add an error msg to clearly explain that plugins are disabled when running as root non-interactively, fixes #11093 --- src/Composer/Console/Application.php | 1 + 1 file changed, 1 insertion(+) diff --git a/src/Composer/Console/Application.php b/src/Composer/Console/Application.php index 2a080067e..635fb04d3 100644 --- a/src/Composer/Console/Application.php +++ b/src/Composer/Console/Application.php @@ -286,6 +286,7 @@ class Application extends BaseApplication } if ($isNonAllowedRoot && !$io->isInteractive()) { + $io->writeError('Composer plugins have been disabled for safety in this non-interactive session. Set COMPOSER_ALLOW_SUPERUSER=1 if you want to allow plugins to run as root/super user.'); $this->disablePluginsByDefault = true; } From 4faa8c03ce5a9f8482d352d90be4383bc21da5c3 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Thu, 13 Oct 2022 16:53:33 +0200 Subject: [PATCH 5/5] Update docs about root usage, refs #11093 --- ...ow-to-install-untrusted-packages-safely.md | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/doc/faqs/how-to-install-untrusted-packages-safely.md b/doc/faqs/how-to-install-untrusted-packages-safely.md index b59fb2c38..d39b16f25 100644 --- a/doc/faqs/how-to-install-untrusted-packages-safely.md +++ b/doc/faqs/how-to-install-untrusted-packages-safely.md @@ -1,5 +1,21 @@ # How do I install untrusted packages safely? Is it safe to run Composer as superuser or root? +## Why am I seeing a "Do not run Composer as root/super user" warning/error? + +It was always discouraged to run Composer as root for the reasons detailed below. + +As of Composer 2.4.2, plugins are disabled automatically when running as root and +there is no sign that the user is consciously doing this. There are two ways this user consent +can be given: + +- If you run interactively, Composer will prompt if you are sure that you want to continue + running as root. If non-interactive plugins will be disabled, unless.. +- If you set the [COMPOSER_ALLOW_SUPERUSER](../03-cli.md#composer-allow-superuser) environment + variable to `1`, this also indicates that you intended to run Composer as root and are accepting + the risks of doing so. + +## Is it safe to run Composer as superuser or root? + Certain Composer commands, including `exec`, `install`, and `update` allow third party code to execute on your system. This is from its "plugins" and "scripts" features. Plugins and scripts have full access to the user account which runs Composer. For this reason, it is strongly advised to @@ -21,5 +37,5 @@ to install untrusted dependencies you should sandbox them completely in a contai Also note that the `exec` command will always run third party code as the user which runs `composer`. -See [Environment variable - COMPOSER_ALLOW_SUPERUSER](../03-cli.md#composer-allow-superuser) -for more info on how to disable warning +See the [COMPOSER_ALLOW_SUPERUSER](../03-cli.md#composer-allow-superuser) environment variable for +more info on how to disable the warnings.