From 2278fd62d7c1bd9420b06600633dd1faa36334ad Mon Sep 17 00:00:00 2001 From: Guy Sartorelli Date: Wed, 15 Dec 2021 13:32:50 +1300 Subject: [PATCH] FIX: Replace sensiolabs/security-checker with signify-nz/composer-security-checker FIX Don't instantiate security checker for /dev/tasks request. The new security checker fetches data on instantiation. There's no reason to trigger that every time a developer goes to /dev/tasks. --- README.md | 6 +- composer.json | 2 +- src/Tasks/SecurityAlertCheckTask.php | 16 +-- tests/SecurityAlertCheckTaskTest.php | 196 ++++++++++++++++++++------- 4 files changed, 156 insertions(+), 64 deletions(-) diff --git a/README.md b/README.md index 7d5eab7..f2b5778 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,12 @@ # SilverStripe Security Checker -**WARNING**: As of January 2021, this module no longer works because the underlying service has been shut down (see [announcement](https://github.com/sensiolabs/security-checker) and [discussion](https://github.com/bringyourownideas/silverstripe-composer-security-checker/issues/57)) - [![Build Status](https://api.travis-ci.org/bringyourownideas/silverstripe-composer-security-checker.svg?branch=master)](https://travis-ci.org/bringyourownideas/silverstripe-composer-security-checker) [![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/bringyourownideas/silverstripe-composer-security-checker/badges/quality-score.png?b=master)](https://scrutinizer-ci.com/g/bringyourownideas/silverstripe-composer-security-checker/?branch=master) [![codecov](https://codecov.io/gh/bringyourownideas/silverstripe-composer-security-checker/branch/master/graph/badge.svg)](https://codecov.io/gh/bringyourownideas/silverstripe-composer-security-checker) [![SilverStripe supported module](https://img.shields.io/badge/silverstripe-supported-0071C4.svg)](https://www.silverstripe.org/software/addons/silverstripe-commercially-supported-module-list/) -Adds a task which runs a check if any of the dependencies has known security vulnerabilities. It uses the -[SensioLabs Security Check Web service](http://security.sensiolabs.org/) and the [Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories). +Adds a task which runs a check if any of the dependencies has known security vulnerabilities. It uses +[Signify's Composer Security Checker](https://github.com/signify-nz/composer-security-checker) which checks against the [Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories). BSD 3-clause [License](https://github.com/bringyourownideas/silverstripe-composer-security-checker/blob/master/license.md) diff --git a/composer.json b/composer.json index a2028b2..97c7680 100644 --- a/composer.json +++ b/composer.json @@ -20,7 +20,7 @@ "require": { "php": ">=5.6.0", "silverstripe/framework": "^4", - "sensiolabs/security-checker": "^5 || ^6", + "signify-nz/composer-security-checker": "^1", "symbiote/silverstripe-queuedjobs": "^4" }, "require-dev": { diff --git a/src/Tasks/SecurityAlertCheckTask.php b/src/Tasks/SecurityAlertCheckTask.php index 1cd1dc5..bf5763c 100644 --- a/src/Tasks/SecurityAlertCheckTask.php +++ b/src/Tasks/SecurityAlertCheckTask.php @@ -2,14 +2,14 @@ namespace BringYourOwnIdeas\SecurityChecker\Tasks; -use SensioLabs\Security\SecurityChecker; +use Signify\SecurityChecker\SecurityChecker; use BringYourOwnIdeas\SecurityChecker\Models\SecurityAlert; use BringYourOwnIdeas\SecurityChecker\Extensions\SecurityAlertExtension; use BringYourOwnIdeas\Maintenance\Model\Package; use SilverStripe\ORM\Queries\SQLDelete; use SilverStripe\ORM\DataObjectSchema; -use SilverStripe\Dev\SapphireTest; use SilverStripe\Control\Director; +use SilverStripe\Core\Injector\Injector; use SilverStripe\Dev\BuildTask; /** @@ -24,10 +24,6 @@ class SecurityAlertCheckTask extends BuildTask */ protected $securityChecker; - private static $dependencies = [ - 'SecurityChecker' => '%$' . SecurityChecker::class, - ]; - protected $title = 'Composer security checker'; protected $description = @@ -38,6 +34,9 @@ class SecurityAlertCheckTask extends BuildTask */ public function getSecurityChecker() { + if (!$this->securityChecker) { + $this->securityChecker = Injector::inst()->get(SecurityChecker::class); + } return $this->securityChecker; } @@ -77,10 +76,9 @@ public function run($request) // to keep the list up to date while removing resolved issues we keep all of found issues $validEntries = array(); - // use the security checker of + // check for vulnerabilities $checker = $this->getSecurityChecker(); - $result = $checker->check(BASE_PATH . DIRECTORY_SEPARATOR . 'composer.lock'); - $alerts = json_decode((string) $result, true); + $alerts = $checker->check(BASE_PATH . DIRECTORY_SEPARATOR . 'composer.lock'); // go through all alerts for packages - each can contain multiple issues foreach ($alerts as $package => $packageDetails) { diff --git a/tests/SecurityAlertCheckTaskTest.php b/tests/SecurityAlertCheckTaskTest.php index 331d3ff..419b473 100644 --- a/tests/SecurityAlertCheckTaskTest.php +++ b/tests/SecurityAlertCheckTaskTest.php @@ -4,8 +4,7 @@ use BringYourOwnIdeas\SecurityChecker\Models\SecurityAlert; use BringYourOwnIdeas\SecurityChecker\Tasks\SecurityAlertCheckTask; -use SensioLabs\Security\Result; -use SensioLabs\Security\SecurityChecker; +use Signify\SecurityChecker\SecurityChecker; use SilverStripe\Control\HTTPRequest; use SilverStripe\Dev\SapphireTest; use Symbiote\QueuedJobs\Services\QueuedJobService; @@ -50,57 +49,154 @@ private function runTask($request = null) */ protected function getSecurityCheckerMock($empty = false) { - // Mock info comes from SensioLabs API docs example output, - // and a real (test) silverstripe/installer 3.2.0 installation - // (using the aforementioned API) - $mockOutput = << [ + 'version' => '1.0.70', + 'advisories' => [ + [ + 'title' => 'TOCTOU Race Condition enabling remote code execution', + 'link' => 'https://github.com/thephpleague/flysystem/security/advisories/GHSA-9f46-5r25-5wfm', + 'cve' => 'CVE-2021-32708', + ], + ], + ], + 'silverstripe/assets' => [ + 'version' => '1.1.0', + 'advisories' => [ + [ + 'title' => 'CVE-2019-12245: Incorrect access control vulnerability in files uploaded to protected folders', + 'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-12245/', + 'cve' => 'CVE-2019-12245', + ], + [ + 'title' => 'CVE-2020-9280: Folders migrated from 3.x may be unsafe to upload to', + 'link' => 'https://www.silverstripe.org/download/security-releases/cve-2020-9280/', + 'cve' => 'CVE-2020-9280', + ], + ], + ], + 'silverstripe/framework' => [ + 'version' => '4.0.0', + 'advisories' => [ + [ + 'title' => 'CVE-2019-12203: Session fixation in \'change password\' form', + 'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-12203/', + 'cve' => 'CVE-2019-12203', + ], + [ + 'title' => 'CVE-2019-12246: Denial of Service on flush and development URL tools', + 'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-12246', + 'cve' => 'CVE-2019-12246', + ], + [ + 'title' => 'CVE-2019-14272: XSS in file titles managed through the CMS', + 'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-14272/', + 'cve' => 'CVE-2019-14272', + ], + [ + 'title' => 'CVE-2019-14273: Broken Access control on files', + 'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-14273/', + 'cve' => 'CVE-2019-14273', + ], + [ + 'title' => 'CVE-2019-16409: Secureassets and versionedfiles modules can expose versions of protected files', + 'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-16409/', + 'cve' => 'CVE-2019-16409', + ], + [ + 'title' => 'CVE-2019-19325: XSS through non-scalar FormField attributes', + 'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-19325/', + 'cve' => 'CVE-2019-19325', + ], + [ + 'title' => 'CVE-2019-19326: Web Cache Poisoning through HTTPRequestBuilder', + 'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-19326/', + 'cve' => 'CVE-2019-19326', + ], + [ + 'title' => 'CVE-2019-5715: Reflected SQL Injection through Form and DataObject', + 'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-021', + 'cve' => 'CVE-2019-5715', + ], + [ + 'title' => 'CVE-2020-26138 FormField: with square brackets in field name skips validation', + 'link' => 'https://www.silverstripe.org/download/security-releases/cve-2020-26138', + 'cve' => 'CVE-2020-26138', + ], + [ + 'title' => 'CVE-2020-6164: Information disclosure on /interactive URL path', + 'link' => 'https://www.silverstripe.org/download/security-releases/cve-2020-6164/', + 'cve' => 'CVE-2020-6164', + ], + [ + 'title' => 'SS-2017-007: CSV Excel Macro Injection', + 'link' => 'https://www.silverstripe.org/download/security-releases/ss-2017-007/', + 'cve' => null, + ], + [ + 'title' => 'SS-2017-008: SQL injection in full text search of SilverStripe 4', + 'link' => 'https://www.silverstripe.org/download/security-releases/ss-2017-008/', + 'cve' => null, + ], + [ + 'title' => 'SS-2017-009: Users inadvertently passing sensitive data to LoginAttempt', + 'link' => 'https://www.silverstripe.org/download/security-releases/ss-2017-009/', + 'cve' => null, + ], + [ + 'title' => 'SS-2017-010: install.php discloses sensitive data by pre-populating DB credential forms', + 'link' => 'https://www.silverstripe.org/download/security-releases/ss-2017-010/', + 'cve' => null, + ], + [ + 'title' => 'SS-2018-001: Privilege Escalation Risk in Member Edit form', + 'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-001/', + 'cve' => null, + ], + [ + 'title' => 'SS-2018-005: isDev and isTest unguarded', + 'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-005/', + 'cve' => null, + ], + [ + 'title' => 'SS-2018-008: BackURL validation bypass with malformed URLs', + 'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-008/', + 'cve' => null, + ], + [ + 'title' => 'SS-2018-010: Member disclosure in login form', + 'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-010/', + 'cve' => null, + ], + [ + 'title' => 'SS-2018-012: Uploaded PHP script execution in assets', + 'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-012/', + 'cve' => null, + ], + [ + 'title' => 'SS-2018-018: Database credentials disclosure during connection failure', + 'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-018/', + 'cve' => null, + ], + [ + 'title' => 'SS-2018-019: Possible denial of service attack vector when flushing', + 'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-019/', + 'cve' => null, + ], + [ + 'title' => 'SS-2018-020: Potential SQL vulnerability in PostgreSQL database connector', + 'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-020/', + 'cve' => null, + ], + ], + ], + ]; $securityCheckerMock = $this->getMockBuilder(SecurityChecker::class)->setMethods(['check'])->getMock(); $securityCheckerMock->expects($this->any())->method('check')->will($this->returnValue( - $empty ? new Result(0, '{}', 'json') : new Result(6, $mockOutput, 'json') + $empty ? [] : $mockOutput )); return $securityCheckerMock;