All geek questions in one place

Security Issues When Using Composer Install in a Production Environment

I am trying to develop a deployment process for an enterprise application. I have heard conflicting opinions about whether Composer can be used in a production environment.

I understand that running composer update will be a mistake, since you can use unverified versions. Instead, only composer install recommended in production.

So my main concern is safety. How easy a person is in an average attack is possible. Is it possible, if the packer is hacked, that we can get the hacked code?

I don’t want to have a manual process where every time I deploy, I have to manually transfer the provider file. Jenkins will now transfer the source files to production. I do not want the version to manage the provider folder, if at all possible.

  • If I use composer install , I should be concerned about security.
  • If I do not use composer in production, how do you suggest me to deploy supplier files?
+7
source share
2 answers

Yes, you should be worried and try to understand which data transfers are involved.

The current Composer implementation uses the inside of the checksums, but there is no subscription to the package, so anything downloaded during composer install can potentially be any software, depending on which servers host either the software repository or TGZ / ZIP, or asking questions about metadata, is a valid goal that can be modified to affect what you set.

Please note that this is not only about security. If you rely on software packages that you can install during your product deployment, it is more likely that any of these servers are down. How do you protect your deployment from any disruption to the third-party software server? The answer to this question is quite simple: host the software locally.

And this answer will also affect the security issue: if you host software packages locally, you can also audit these versions before making them available internally. Depending on what level of security you need, you either check each version of yours, or limit the available versions to only the few that you can check, or you can create a more generous way of claiming that the software you get is extracted from the original Git repository and locally creates a ZIP version of the software (ZIP addresses are more convenient if you are not going to develop IMO packages).

There are only two software products that can help here: Toran Proxy is a commercial product from Jordi Boggiano (one of Composer’s core developers), which should also help fund Composer’s development and infrastructure. Other software is Satis, which also allows you to create local copies of the packages you use.

Disclaimer: My answer probably does not go into finer details and may render some of the details too brief or possibly incorrect. It is not intended to address all security issues, but provides a broad overview. Security checking and software package authentication is one of the topics discussed for quite some time (see https://github.com/composer/composer/issues/38 ), but without any result so far.

+6
source

To prevent directory listings (for security reasons, for example), you must remove the Indexes keyword from each Options directive in your configuration file.

on your Apache server you can use:

add this to your .htaccess file

 <Directory /> Options -Indexes </Directory>
0
source

Source: https://habr.com/ru/post/976392/

More articles:


All Articles