Skip to content

Commit

Permalink
FIX: Replace sensiolabs/security-checker with signify-nz/composer-sec…
Browse files Browse the repository at this point in the history
…urity-checker

FIX Don't instantiate security checker for /dev/tasks request.

The new security checker fetches data on instantiation. There's no reason to trigger that every time a developer goes to /dev/tasks.
  • Loading branch information
GuySartorelli committed Jan 16, 2022
1 parent f77fe5a commit 2278fd6
Show file tree
Hide file tree
Showing 4 changed files with 156 additions and 64 deletions.
6 changes: 2 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,14 +1,12 @@
# SilverStripe Security Checker

**WARNING**: As of January 2021, this module no longer works because the underlying service has been shut down (see [announcement](https://github.com/sensiolabs/security-checker) and [discussion](https://github.com/bringyourownideas/silverstripe-composer-security-checker/issues/57))

[![Build Status](https://api.travis-ci.org/bringyourownideas/silverstripe-composer-security-checker.svg?branch=master)](https://travis-ci.org/bringyourownideas/silverstripe-composer-security-checker)
[![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/bringyourownideas/silverstripe-composer-security-checker/badges/quality-score.png?b=master)](https://scrutinizer-ci.com/g/bringyourownideas/silverstripe-composer-security-checker/?branch=master)
[![codecov](https://codecov.io/gh/bringyourownideas/silverstripe-composer-security-checker/branch/master/graph/badge.svg)](https://codecov.io/gh/bringyourownideas/silverstripe-composer-security-checker)
[![SilverStripe supported module](https://img.shields.io/badge/silverstripe-supported-0071C4.svg)](https://www.silverstripe.org/software/addons/silverstripe-commercially-supported-module-list/)

Adds a task which runs a check if any of the dependencies has known security vulnerabilities. It uses the
[SensioLabs Security Check Web service](http://security.sensiolabs.org/) and the [Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories).
Adds a task which runs a check if any of the dependencies has known security vulnerabilities. It uses
[Signify's Composer Security Checker](https://github.com/signify-nz/composer-security-checker) which checks against the [Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories).

BSD 3-clause [License](https://github.com/bringyourownideas/silverstripe-composer-security-checker/blob/master/license.md)

Expand Down
2 changes: 1 addition & 1 deletion composer.json
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
"require": {
"php": ">=5.6.0",
"silverstripe/framework": "^4",
"sensiolabs/security-checker": "^5 || ^6",
"signify-nz/composer-security-checker": "^1",
"symbiote/silverstripe-queuedjobs": "^4"
},
"require-dev": {
Expand Down
16 changes: 7 additions & 9 deletions src/Tasks/SecurityAlertCheckTask.php
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,14 @@

namespace BringYourOwnIdeas\SecurityChecker\Tasks;

use SensioLabs\Security\SecurityChecker;
use Signify\SecurityChecker\SecurityChecker;
use BringYourOwnIdeas\SecurityChecker\Models\SecurityAlert;
use BringYourOwnIdeas\SecurityChecker\Extensions\SecurityAlertExtension;
use BringYourOwnIdeas\Maintenance\Model\Package;
use SilverStripe\ORM\Queries\SQLDelete;
use SilverStripe\ORM\DataObjectSchema;
use SilverStripe\Dev\SapphireTest;
use SilverStripe\Control\Director;
use SilverStripe\Core\Injector\Injector;
use SilverStripe\Dev\BuildTask;

/**
Expand All @@ -24,10 +24,6 @@ class SecurityAlertCheckTask extends BuildTask
*/
protected $securityChecker;

private static $dependencies = [
'SecurityChecker' => '%$' . SecurityChecker::class,
];

protected $title = 'Composer security checker';

protected $description =
Expand All @@ -38,6 +34,9 @@ class SecurityAlertCheckTask extends BuildTask
*/
public function getSecurityChecker()
{
if (!$this->securityChecker) {
$this->securityChecker = Injector::inst()->get(SecurityChecker::class);
}
return $this->securityChecker;
}

Expand Down Expand Up @@ -77,10 +76,9 @@ public function run($request)
// to keep the list up to date while removing resolved issues we keep all of found issues
$validEntries = array();

// use the security checker of
// check for vulnerabilities
$checker = $this->getSecurityChecker();
$result = $checker->check(BASE_PATH . DIRECTORY_SEPARATOR . 'composer.lock');
$alerts = json_decode((string) $result, true);
$alerts = $checker->check(BASE_PATH . DIRECTORY_SEPARATOR . 'composer.lock');

// go through all alerts for packages - each can contain multiple issues
foreach ($alerts as $package => $packageDetails) {
Expand Down
196 changes: 146 additions & 50 deletions tests/SecurityAlertCheckTaskTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,7 @@

use BringYourOwnIdeas\SecurityChecker\Models\SecurityAlert;
use BringYourOwnIdeas\SecurityChecker\Tasks\SecurityAlertCheckTask;
use SensioLabs\Security\Result;
use SensioLabs\Security\SecurityChecker;
use Signify\SecurityChecker\SecurityChecker;
use SilverStripe\Control\HTTPRequest;
use SilverStripe\Dev\SapphireTest;
use Symbiote\QueuedJobs\Services\QueuedJobService;
Expand Down Expand Up @@ -50,57 +49,154 @@ private function runTask($request = null)
*/
protected function getSecurityCheckerMock($empty = false)
{
// Mock info comes from SensioLabs API docs example output,
// and a real (test) silverstripe/installer 3.2.0 installation
// (using the aforementioned API)
$mockOutput = <<<CVENOTICE
{
"symfony\/symfony": {
"version": "2.1.x-dev",
"advisories": {
"symfony\/symfony\/CVE-2013-1397.yaml": {
"title": "Ability to enable\/disable object support in YAML parsing and dumping",
"link": "http:\/\/symfony.com\/blog\/security-release-symfony-2-0-22-and-2-1-7-released",
"cve": "CVE-2013-1397"
}
}
},
"silverstripe\/framework": {
"version": "3.2.0",
"advisories": {
"silverstripe\/framework\/SS-2016-002-1.yaml": {
"title": "SS-2016-002: CSRF vulnerability in GridFieldAddExistingAutocompleter",
"link": "https:\/\/www.silverstripe.org\/download\/security-releases\/ss-2016-002\/",
"cve": ""
},
"silverstripe\/framework\/SS-2016-003-1.yaml": {
"title": "SS-2016-003: Hostname, IP and Protocol Spoofing through HTTP Headers",
"link": "https:\/\/www.silverstripe.org\/download\/security-releases\/ss-2016-003\/",
"cve": ""
},
"silverstripe\/framework\/SS-2015-028-1.yaml": {
"title": "SS-2015-028: Missing security check on dev\/build\/defaults",
"link": "https:\/\/www.silverstripe.org\/download\/security-releases\/ss-2015-028\/",
"cve": ""
},
"silverstripe\/framework\/SS-2015-027-1.yaml": {
"title": "SS-2015-027: HtmlEditor embed url sanitisation",
"link": "https:\/\/www.silverstripe.org\/download\/security-releases\/ss-2015-027\/",
"cve": ""
},
"silverstripe\/framework\/SS-2015-026-1.yaml": {
"title": "SS-2015-026: Form field validation message XSS vulnerability",
"link": "https:\/\/www.silverstripe.org\/download\/security-releases\/ss-2015-026\/",
"cve": ""
}
}
}
}
CVENOTICE;
// Mock info comes from a real (test) silverstripe/framework 4.0.0 installation
// using Signify's Composer Security Checker
$mockOutput = [
'league/flysystem' => [
'version' => '1.0.70',
'advisories' => [
[
'title' => 'TOCTOU Race Condition enabling remote code execution',
'link' => 'https://github.com/thephpleague/flysystem/security/advisories/GHSA-9f46-5r25-5wfm',
'cve' => 'CVE-2021-32708',
],
],
],
'silverstripe/assets' => [
'version' => '1.1.0',
'advisories' => [
[
'title' => 'CVE-2019-12245: Incorrect access control vulnerability in files uploaded to protected folders',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-12245/',
'cve' => 'CVE-2019-12245',
],
[
'title' => 'CVE-2020-9280: Folders migrated from 3.x may be unsafe to upload to',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2020-9280/',
'cve' => 'CVE-2020-9280',
],
],
],
'silverstripe/framework' => [
'version' => '4.0.0',
'advisories' => [
[
'title' => 'CVE-2019-12203: Session fixation in \'change password\' form',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-12203/',
'cve' => 'CVE-2019-12203',
],
[
'title' => 'CVE-2019-12246: Denial of Service on flush and development URL tools',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-12246',
'cve' => 'CVE-2019-12246',
],
[
'title' => 'CVE-2019-14272: XSS in file titles managed through the CMS',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-14272/',
'cve' => 'CVE-2019-14272',
],
[
'title' => 'CVE-2019-14273: Broken Access control on files',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-14273/',
'cve' => 'CVE-2019-14273',
],
[
'title' => 'CVE-2019-16409: Secureassets and versionedfiles modules can expose versions of protected files',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-16409/',
'cve' => 'CVE-2019-16409',
],
[
'title' => 'CVE-2019-19325: XSS through non-scalar FormField attributes',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-19325/',
'cve' => 'CVE-2019-19325',
],
[
'title' => 'CVE-2019-19326: Web Cache Poisoning through HTTPRequestBuilder',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-19326/',
'cve' => 'CVE-2019-19326',
],
[
'title' => 'CVE-2019-5715: Reflected SQL Injection through Form and DataObject',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-021',
'cve' => 'CVE-2019-5715',
],
[
'title' => 'CVE-2020-26138 FormField: with square brackets in field name skips validation',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2020-26138',
'cve' => 'CVE-2020-26138',
],
[
'title' => 'CVE-2020-6164: Information disclosure on /interactive URL path',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2020-6164/',
'cve' => 'CVE-2020-6164',
],
[
'title' => 'SS-2017-007: CSV Excel Macro Injection',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2017-007/',
'cve' => null,
],
[
'title' => 'SS-2017-008: SQL injection in full text search of SilverStripe 4',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2017-008/',
'cve' => null,
],
[
'title' => 'SS-2017-009: Users inadvertently passing sensitive data to LoginAttempt',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2017-009/',
'cve' => null,
],
[
'title' => 'SS-2017-010: install.php discloses sensitive data by pre-populating DB credential forms',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2017-010/',
'cve' => null,
],
[
'title' => 'SS-2018-001: Privilege Escalation Risk in Member Edit form',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-001/',
'cve' => null,
],
[
'title' => 'SS-2018-005: isDev and isTest unguarded',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-005/',
'cve' => null,
],
[
'title' => 'SS-2018-008: BackURL validation bypass with malformed URLs',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-008/',
'cve' => null,
],
[
'title' => 'SS-2018-010: Member disclosure in login form',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-010/',
'cve' => null,
],
[
'title' => 'SS-2018-012: Uploaded PHP script execution in assets',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-012/',
'cve' => null,
],
[
'title' => 'SS-2018-018: Database credentials disclosure during connection failure',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-018/',
'cve' => null,
],
[
'title' => 'SS-2018-019: Possible denial of service attack vector when flushing',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-019/',
'cve' => null,
],
[
'title' => 'SS-2018-020: Potential SQL vulnerability in PostgreSQL database connector',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-020/',
'cve' => null,
],
],
],
];

$securityCheckerMock = $this->getMockBuilder(SecurityChecker::class)->setMethods(['check'])->getMock();
$securityCheckerMock->expects($this->any())->method('check')->will($this->returnValue(
$empty ? new Result(0, '{}', 'json') : new Result(6, $mockOutput, 'json')
$empty ? [] : $mockOutput
));

return $securityCheckerMock;
Expand Down

0 comments on commit 2278fd6

Please sign in to comment.