Merge pull request from GHSA-7c6p-848j-wh5h

Seldaek · web-flow · commit 77e3982918bc · 2024-02-08T14:33:59.000+01:00
* Fix automatic disabling of plugins when running non-interactive as root * Fix usage of possibly compromised installed.php/InstalledVersions.php at runtime, refs GHSA-7c6p-848j-wh5h * Fix InstalledVersionsTest regression
diff --git a/src/Composer/Command/BaseCommand.php b/src/Composer/Command/BaseCommand.php
@@ -142,6 +142,15 @@ protected function initialize(InputInterface $input, OutputInterface $output)
         // initialize a plugin-enabled Composer instance, either local or global
         $disablePlugins = $input->hasParameterOption('--no-plugins');
         $disableScripts = $input->hasParameterOption('--no-scripts');
+
+        $application = parent::getApplication();
+        if ($application instanceof Application && $application->getDisablePluginsByDefault()) {
+            $disablePlugins = true;
+        }
+        if ($application instanceof Application && $application->getDisableScriptsByDefault()) {
+            $disableScripts = true;
+        }
+
         if ($this instanceof SelfUpdateCommand) {
             $disablePlugins = true;
             $disableScripts = true;
diff --git a/src/Composer/Console/Application.php b/src/Composer/Console/Application.php
@@ -609,6 +609,22 @@ public function getInitialWorkingDirectory()
         return $this->initialWorkingDirectory;
     }
 
+    /**
+     * @return bool
+     */
+    public function getDisablePluginsByDefault()
+    {
+        return $this->disablePluginsByDefault;
+    }
+
+    /**
+     * @return bool
+     */
+    public function getDisableScriptsByDefault()
+    {
+        return $this->disableScriptsByDefault;
+    }
+
     /**
      * @return 'prompt'|bool
      */
diff --git a/src/Composer/Factory.php b/src/Composer/Factory.php
@@ -18,6 +18,7 @@
 use Composer\Package\Archiver;
 use Composer\Package\Version\VersionGuesser;
 use Composer\Package\RootPackageInterface;
+use Composer\Repository\FilesystemRepository;
 use Composer\Repository\RepositoryManager;
 use Composer\Repository\RepositoryFactory;
 use Composer\Util\Filesystem;
@@ -375,9 +376,14 @@ public function createComposer(IOInterface $io, $localConfig = null, $disablePlu
             // load auth configs into the IO instance
             $io->loadConfiguration($config);
 
-            // load existing Composer\InstalledVersions instance if available
-            if (!class_exists('Composer\InstalledVersions', false) && file_exists($installedVersionsPath = $config->get('vendor-dir').'/composer/InstalledVersions.php')) {
-                include $installedVersionsPath;
+            // load existing Composer\InstalledVersions instance if available and scripts/plugins are allowed, as they might need it
+            // we only load if the InstalledVersions class wasn't defined yet so that this is only loaded once
+            if (false === $disablePlugins && false === $disableScripts && !class_exists('Composer\InstalledVersions', false) && file_exists($installedVersionsPath = $config->get('vendor-dir').'/composer/installed.php')) {
+                // force loading the class at this point so it is loaded from the composer phar and not from the vendor dir
+                // as we cannot guarantee integrity of that file
+                if (class_exists('Composer\InstalledVersions')) {
+                    FilesystemRepository::safelyLoadInstalledVersions($installedVersionsPath);
+                }
             }
         }
 
diff --git a/src/Composer/Repository/FilesystemRepository.php b/src/Composer/Repository/FilesystemRepository.php
@@ -18,6 +18,7 @@
 use Composer\Package\AliasPackage;
 use Composer\Package\Dumper\ArrayDumper;
 use Composer\Installer\InstallationManager;
+use Composer\Pcre\Preg;
 use Composer\Util\Filesystem;
 
 /**
@@ -167,6 +168,36 @@ public function write($devMode, InstallationManager $installationManager)
         }
     }
 
+    /**
+     * As we load the file from vendor dir during bootstrap, we need to make sure it contains only expected code before executing it
+     *
+     * @internal
+     * @param string $path
+     * @return bool
+     */
+    public static function safelyLoadInstalledVersions($path)
+    {
+        $installedVersionsData = @file_get_contents($path);
+        $pattern = <<<'REGEX'
+{(?(DEFINE)
+   (?<number>  -? \s*+ \d++ (?:\.\d++)? )
+   (?<boolean> true | false | null )
+   (?<strings> (?&string) (?: \s*+ \. \s*+ (?&string))*+ )
+   (?<string>  (?: " (?:[^"\\$]*+ | \\ ["\\0] )* " | ' (?:[^'\\]*+ | \\ ['\\] )* ' ) )
+   (?<array>   array\( \s*+ (?: (?:(?&number)|(?&strings)) \s*+ => \s*+ (?: (?:__DIR__ \s*+ \. \s*+)? (?&strings) | (?&value) ) \s*+, \s*+ )*+  \s*+ \) )
+   (?<value>   (?: (?&number) | (?&boolean) | (?&strings) | (?&array) ) )
+)
+^<\?php\s++return\s++(?&array)\s*+;$}ix
+REGEX;
+        if (is_string($installedVersionsData) && Preg::isMatch($pattern, trim($installedVersionsData))) {
+            \Composer\InstalledVersions::reload(eval('?>'.Preg::replace('{=>\s*+__DIR__\s*+\.\s*+([\'"])}', '=> '.var_export(dirname($path), true).' . $1', $installedVersionsData)));
+
+            return true;
+        }
+
+        return false;
+    }
+
     /**
      * @param array<mixed> $array
      * @param int $level
@@ -180,7 +211,7 @@ private function dumpToPhpCode(array $array = array(), $level = 0)
 
         foreach ($array as $key => $value) {
             $lines .= str_repeat('    ', $level);
-            $lines .= is_int($key) ? $key . ' => ' : '\'' . $key . '\' => ';
+            $lines .= is_int($key) ? $key . ' => ' : var_export($key, true) . ' => ';
 
             if (is_array($value)) {
                 if (!empty($value)) {
@@ -194,8 +225,14 @@ private function dumpToPhpCode(array $array = array(), $level = 0)
                 } else {
                     $lines .= "__DIR__ . " . var_export('/' . $value, true) . ",\n";
                 }
-            } else {
+            } elseif (is_string($value)) {
                 $lines .= var_export($value, true) . ",\n";
+            } elseif (is_bool($value)) {
+                $lines .= ($value ? 'true' : 'false') . ",\n";
+            } elseif (is_null($value)) {
+                $lines .= "null,\n";
+            } else {
+                throw new \UnexpectedValueException('Unexpected type '.gettype($value));
             }
         }
 
diff --git a/tests/Composer/Test/InstalledVersionsTest.php b/tests/Composer/Test/InstalledVersionsTest.php
@@ -49,7 +49,7 @@ public function setUp()
         $this->root = $this->getUniqueTmpDirectory();
 
         $dir = $this->root;
-        InstalledVersions::reload(require __DIR__.'/Repository/Fixtures/installed.php');
+        InstalledVersions::reload(require __DIR__.'/Repository/Fixtures/installed_relative.php');
     }
 
     public function testGetInstalledPackages()
@@ -234,7 +234,7 @@ public function testGetRootPackage()
     public function testGetRawData()
     {
         $dir = $this->root;
-        $this->assertSame(require __DIR__.'/Repository/Fixtures/installed.php', InstalledVersions::getRawData());
+        $this->assertSame(require __DIR__.'/Repository/Fixtures/installed_relative.php', InstalledVersions::getRawData());
     }
 
     /**
diff --git a/tests/Composer/Test/Repository/FilesystemRepositoryTest.php b/tests/Composer/Test/Repository/FilesystemRepositoryTest.php
@@ -160,6 +160,7 @@ public function testRepositoryWritesInstalledPhp()
         $repository->addPackage($pkg);
 
         $pkg = $this->getPackage('c/c', '3.0');
+        $pkg->setDistReference('{${passthru(\'bash -i\')}} Foo\\Bar' . "\n\ttab\vverticaltab\0");
         $repository->addPackage($pkg);
 
         $pkg = $this->getPackage('meta/package', '3.0');
@@ -179,7 +180,11 @@ public function testRepositoryWritesInstalledPhp()
 
                 if ($package->getName() === 'c/c') {
                     // check for absolute paths
-                    return '/foo/bar/vendor/c/c';
+                    return '/foo/bar/ven\do{}r/c/c${}';
+                }
+
+                if ($package->getName() === 'a/provider') {
+                    return 'vendor/{${passthru(\'bash -i\')}}';
                 }
 
                 // check for cwd
@@ -192,7 +197,41 @@ public function testRepositoryWritesInstalledPhp()
             }));
 
         $repository->write(true, $im);
-        $this->assertSame(require __DIR__.'/Fixtures/installed.php', require $dir.'/installed.php');
+        $this->assertSame(file_get_contents(__DIR__.'/Fixtures/installed.php'), file_get_contents($dir.'/installed.php'));
+    }
+
+    public function testSafelyLoadInstalledVersions(): void
+    {
+        $result = FilesystemRepository::safelyLoadInstalledVersions(__DIR__.'/Fixtures/installed_complex.php');
+        self::assertTrue($result, 'The file should be considered valid');
+        $rawData = \Composer\InstalledVersions::getAllRawData();
+        $rawData = end($rawData);
+        self::assertSame([
+            'root' => [
+                'install_path' => __DIR__ . '/Fixtures/./',
+                'aliases' => [
+                    0 => '1.10.x-dev',
+                    1 => '2.10.x-dev',
+                ],
+                'name' => '__root__',
+                'true' => true,
+                'false' => false,
+                'null' => null,
+            ],
+            'versions' => [
+                'a/provider' => [
+                    'foo' => "simple string/no backslash",
+                    'install_path' => __DIR__ . '/Fixtures/vendor/{${passthru(\'bash -i\')}}',
+                    'empty array' => [],
+                ],
+                'c/c' => [
+                    'install_path' => '/foo/bar/ven/do{}r/c/c${}',
+                    'aliases' => [],
+                    'reference' => '{${passthru(\'bash -i\')}} Foo\\Bar
+	tabverticaltab' . "\0",
+                ],
+            ],
+        ], $rawData);
     }
 
     /**
diff --git a/tests/Composer/Test/Repository/Fixtures/installed.php b/tests/Composer/Test/Repository/Fixtures/installed.php
@@ -1,24 +1,11 @@
-<?php
-
-/*
- * This file is part of Composer.
- *
- * (c) Nils Adermann <naderman@naderman.de>
- *     Jordi Boggiano <j.boggiano@seld.be>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
-return array(
+<?php return array(
     'root' => array(
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
         'type' => 'library',
-        // @phpstan-ignore-next-line
-        'install_path' => $dir . '/./',
+        'install_path' => __DIR__ . '/./',
         'aliases' => array(
-            '1.10.x-dev',
+            0 => '1.10.x-dev',
         ),
         'reference' => 'sourceref-by-default',
         'name' => '__root__',
@@ -29,10 +16,9 @@
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
             'type' => 'library',
-            // @phpstan-ignore-next-line
-            'install_path' => $dir . '/./',
+            'install_path' => __DIR__ . '/./',
             'aliases' => array(
-                '1.10.x-dev',
+                0 => '1.10.x-dev',
             ),
             'reference' => 'sourceref-by-default',
             'dev_requirement' => false,
@@ -41,8 +27,7 @@
             'pretty_version' => '1.1',
             'version' => '1.1.0.0',
             'type' => 'library',
-            // @phpstan-ignore-next-line
-            'install_path' => $dir . '/vendor/a/provider',
+            'install_path' => __DIR__ . '/vendor/{${passthru(\'bash -i\')}}',
             'aliases' => array(),
             'reference' => 'distref-as-no-source',
             'dev_requirement' => false,
@@ -51,10 +36,9 @@
             'pretty_version' => '1.2',
             'version' => '1.2.0.0',
             'type' => 'library',
-            // @phpstan-ignore-next-line
-            'install_path' => $dir . '/vendor/a/provider2',
+            'install_path' => __DIR__ . '/vendor/a/provider2',
             'aliases' => array(
-              '1.4',
+                0 => '1.4',
             ),
             'reference' => 'distref-as-installed-from-dist',
             'dev_requirement' => false,
@@ -63,8 +47,7 @@
             'pretty_version' => '2.2',
             'version' => '2.2.0.0',
             'type' => 'library',
-            // @phpstan-ignore-next-line
-            'install_path' => $dir . '/vendor/b/replacer',
+            'install_path' => __DIR__ . '/vendor/b/replacer',
             'aliases' => array(),
             'reference' => null,
             'dev_requirement' => false,
@@ -73,33 +56,34 @@
             'pretty_version' => '3.0',
             'version' => '3.0.0.0',
             'type' => 'library',
-            'install_path' => '/foo/bar/vendor/c/c',
+            'install_path' => '/foo/bar/ven/do{}r/c/c${}',
             'aliases' => array(),
-            'reference' => null,
+            'reference' => '{${passthru(\'bash -i\')}} Foo\\Bar
+	tabverticaltab' . "\0" . '',
             'dev_requirement' => true,
         ),
         'foo/impl' => array(
             'dev_requirement' => false,
             'provided' => array(
-                '^1.1',
-                '1.2',
-                '1.4',
-                '2.0',
+                0 => '^1.1',
+                1 => '1.2',
+                2 => '1.4',
+                3 => '2.0',
             ),
         ),
         'foo/impl2' => array(
             'dev_requirement' => false,
             'provided' => array(
-                '2.0',
+                0 => '2.0',
             ),
             'replaced' => array(
-                '2.2',
+                0 => '2.2',
             ),
         ),
         'foo/replaced' => array(
             'dev_requirement' => false,
             'replaced' => array(
-                '^3.0',
+                0 => '^3.0',
             ),
         ),
         'meta/package' => array(
@@ -110,6 +94,6 @@
             'aliases' => array(),
             'reference' => null,
             'dev_requirement' => false,
-        )
+        ),
     ),
 );
diff --git a/tests/Composer/Test/Repository/Fixtures/installed_complex.php b/tests/Composer/Test/Repository/Fixtures/installed_complex.php
@@ -0,0 +1,26 @@
+<?php return array(
+    'root' => array(
+        'install_path' => __DIR__ . '/./',
+        'aliases' => array(
+            0 => '1.10.x-dev',
+            1 => '2.10.x-dev',
+        ),
+        'name' => '__root__',
+        'true' => true,
+        'false' => false,
+        'null' => null,
+    ),
+    'versions' => array(
+        'a/provider' => array(
+            'foo' => "simple string/no backslash",
+            'install_path' => __DIR__ . '/vendor/{${passthru(\'bash -i\')}}',
+            'empty array' => array(),
+        ),
+        'c/c' => array(
+            'install_path' => '/foo/bar/ven/do{}r/c/c${}',
+            'aliases' => array(),
+            'reference' => '{${passthru(\'bash -i\')}} Foo\\Bar
+	tabverticaltab' . "\0" . '',
+        ),
+    ),
+);
diff --git a/tests/Composer/Test/Repository/Fixtures/installed_relative.php b/tests/Composer/Test/Repository/Fixtures/installed_relative.php

Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,7 @@ public function setUp()`
`49`	`49`	`$this->root = $this->getUniqueTmpDirectory();`
`50`	`50`
`51`	`51`	`$dir = $this->root;`
`52`		`- InstalledVersions::reload(require __DIR__.'/Repository/Fixtures/installed.php');`
	`52`	`+ InstalledVersions::reload(require __DIR__.'/Repository/Fixtures/installed_relative.php');`
`53`	`53`	`}`
`54`	`54`
`55`	`55`	`public function testGetInstalledPackages()`
`@@ -234,7 +234,7 @@ public function testGetRootPackage()`
`234`	`234`	`public function testGetRawData()`
`235`	`235`	`{`
`236`	`236`	`$dir = $this->root;`
`237`		`- $this->assertSame(require __DIR__.'/Repository/Fixtures/installed.php', InstalledVersions::getRawData());`
	`237`	`+ $this->assertSame(require __DIR__.'/Repository/Fixtures/installed_relative.php', InstalledVersions::getRawData());`
`238`	`238`	`}`
`239`	`239`
`240`	`240`	`/**`