Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FIX: Replace sensiolabs/security-checker with signify-nz/composer-security-checker #59

Closed
wants to merge 1 commit into from
Closed

FIX: Replace sensiolabs/security-checker with signify-nz/composer-security-checker #59

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 2 additions & 4 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,12 @@
# SilverStripe Security Checker

**WARNING**: As of January 2021, this module no longer works because the underlying service has been shut down (see [announcement](https://github.com/sensiolabs/security-checker) and [discussion](https://github.com/bringyourownideas/silverstripe-composer-security-checker/issues/57))

[![Build Status](https://api.travis-ci.org/bringyourownideas/silverstripe-composer-security-checker.svg?branch=master)](https://travis-ci.org/bringyourownideas/silverstripe-composer-security-checker)
[![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/bringyourownideas/silverstripe-composer-security-checker/badges/quality-score.png?b=master)](https://scrutinizer-ci.com/g/bringyourownideas/silverstripe-composer-security-checker/?branch=master)
[![codecov](https://codecov.io/gh/bringyourownideas/silverstripe-composer-security-checker/branch/master/graph/badge.svg)](https://codecov.io/gh/bringyourownideas/silverstripe-composer-security-checker)
[![SilverStripe supported module](https://img.shields.io/badge/silverstripe-supported-0071C4.svg)](https://www.silverstripe.org/software/addons/silverstripe-commercially-supported-module-list/)

Adds a task which runs a check if any of the dependencies has known security vulnerabilities. It uses the
[SensioLabs Security Check Web service](http://security.sensiolabs.org/) and the [Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories).
Adds a task which runs a check if any of the dependencies has known security vulnerabilities. It uses
[Signify's Composer Security Checker](https://github.com/signify-nz/composer-security-checker) which checks against the [Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories).

BSD 3-clause [License](https://github.com/bringyourownideas/silverstripe-composer-security-checker/blob/master/license.md)

Expand Down
2 changes: 1 addition & 1 deletion composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
"require": {
"php": ">=5.6.0",
"silverstripe/framework": "^4",
"sensiolabs/security-checker": "^5 || ^6",
"signify-nz/composer-security-checker": "^1",
"symbiote/silverstripe-queuedjobs": "^4"
},
"require-dev": {
Expand Down
16 changes: 7 additions & 9 deletions src/Tasks/SecurityAlertCheckTask.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,14 @@

namespace BringYourOwnIdeas\SecurityChecker\Tasks;

use SensioLabs\Security\SecurityChecker;
use Signify\SecurityChecker\SecurityChecker;
use BringYourOwnIdeas\SecurityChecker\Models\SecurityAlert;
use BringYourOwnIdeas\SecurityChecker\Extensions\SecurityAlertExtension;
use BringYourOwnIdeas\Maintenance\Model\Package;
use SilverStripe\ORM\Queries\SQLDelete;
use SilverStripe\ORM\DataObjectSchema;
use SilverStripe\Dev\SapphireTest;
use SilverStripe\Control\Director;
use SilverStripe\Core\Injector\Injector;
use SilverStripe\Dev\BuildTask;

/**
Expand All @@ -24,10 +24,6 @@ class SecurityAlertCheckTask extends BuildTask
*/
protected $securityChecker;

private static $dependencies = [
'SecurityChecker' => '%$' . SecurityChecker::class,
];

protected $title = 'Composer security checker';

protected $description =
Expand All @@ -38,6 +34,9 @@ class SecurityAlertCheckTask extends BuildTask
*/
public function getSecurityChecker()
{
if (!$this->securityChecker) {
$this->securityChecker = Injector::inst()->get(SecurityChecker::class);
}
return $this->securityChecker;
}

Expand Down Expand Up @@ -77,10 +76,9 @@ public function run($request)
// to keep the list up to date while removing resolved issues we keep all of found issues
$validEntries = array();

// use the security checker of
// check for vulnerabilities
$checker = $this->getSecurityChecker();
$result = $checker->check(BASE_PATH . DIRECTORY_SEPARATOR . 'composer.lock');
$alerts = json_decode((string) $result, true);
$alerts = $checker->check(BASE_PATH . DIRECTORY_SEPARATOR . 'composer.lock');

// go through all alerts for packages - each can contain multiple issues
foreach ($alerts as $package => $packageDetails) {
Expand Down
196 changes: 146 additions & 50 deletions tests/SecurityAlertCheckTaskTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,7 @@

use BringYourOwnIdeas\SecurityChecker\Models\SecurityAlert;
use BringYourOwnIdeas\SecurityChecker\Tasks\SecurityAlertCheckTask;
use SensioLabs\Security\Result;
use SensioLabs\Security\SecurityChecker;
use Signify\SecurityChecker\SecurityChecker;
use SilverStripe\Control\HTTPRequest;
use SilverStripe\Dev\SapphireTest;
use Symbiote\QueuedJobs\Services\QueuedJobService;
Expand Down Expand Up @@ -50,57 +49,154 @@ private function runTask($request = null)
*/
protected function getSecurityCheckerMock($empty = false)
{
// Mock info comes from SensioLabs API docs example output,
// and a real (test) silverstripe/installer 3.2.0 installation
// (using the aforementioned API)
$mockOutput = <<<CVENOTICE
{
"symfony\/symfony": {
"version": "2.1.x-dev",
"advisories": {
"symfony\/symfony\/CVE-2013-1397.yaml": {
"title": "Ability to enable\/disable object support in YAML parsing and dumping",
"link": "http:\/\/symfony.com\/blog\/security-release-symfony-2-0-22-and-2-1-7-released",
"cve": "CVE-2013-1397"
}
}
},
"silverstripe\/framework": {
"version": "3.2.0",
"advisories": {
"silverstripe\/framework\/SS-2016-002-1.yaml": {
"title": "SS-2016-002: CSRF vulnerability in GridFieldAddExistingAutocompleter",
"link": "https:\/\/www.silverstripe.org\/download\/security-releases\/ss-2016-002\/",
"cve": ""
},
"silverstripe\/framework\/SS-2016-003-1.yaml": {
"title": "SS-2016-003: Hostname, IP and Protocol Spoofing through HTTP Headers",
"link": "https:\/\/www.silverstripe.org\/download\/security-releases\/ss-2016-003\/",
"cve": ""
},
"silverstripe\/framework\/SS-2015-028-1.yaml": {
"title": "SS-2015-028: Missing security check on dev\/build\/defaults",
"link": "https:\/\/www.silverstripe.org\/download\/security-releases\/ss-2015-028\/",
"cve": ""
},
"silverstripe\/framework\/SS-2015-027-1.yaml": {
"title": "SS-2015-027: HtmlEditor embed url sanitisation",
"link": "https:\/\/www.silverstripe.org\/download\/security-releases\/ss-2015-027\/",
"cve": ""
},
"silverstripe\/framework\/SS-2015-026-1.yaml": {
"title": "SS-2015-026: Form field validation message XSS vulnerability",
"link": "https:\/\/www.silverstripe.org\/download\/security-releases\/ss-2015-026\/",
"cve": ""
}
}
}
}
CVENOTICE;
// Mock info comes from a real (test) silverstripe/framework 4.0.0 installation
// using Signify's Composer Security Checker
$mockOutput = [
'league/flysystem' => [
'version' => '1.0.70',
'advisories' => [
[
'title' => 'TOCTOU Race Condition enabling remote code execution',
'link' => 'https://github.com/thephpleague/flysystem/security/advisories/GHSA-9f46-5r25-5wfm',
'cve' => 'CVE-2021-32708',
],
],
],
'silverstripe/assets' => [
'version' => '1.1.0',
'advisories' => [
[
'title' => 'CVE-2019-12245: Incorrect access control vulnerability in files uploaded to protected folders',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-12245/',
'cve' => 'CVE-2019-12245',
],
[
'title' => 'CVE-2020-9280: Folders migrated from 3.x may be unsafe to upload to',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2020-9280/',
'cve' => 'CVE-2020-9280',
],
],
],
'silverstripe/framework' => [
'version' => '4.0.0',
'advisories' => [
[
'title' => 'CVE-2019-12203: Session fixation in \'change password\' form',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-12203/',
'cve' => 'CVE-2019-12203',
],
[
'title' => 'CVE-2019-12246: Denial of Service on flush and development URL tools',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-12246',
'cve' => 'CVE-2019-12246',
],
[
'title' => 'CVE-2019-14272: XSS in file titles managed through the CMS',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-14272/',
'cve' => 'CVE-2019-14272',
],
[
'title' => 'CVE-2019-14273: Broken Access control on files',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-14273/',
'cve' => 'CVE-2019-14273',
],
[
'title' => 'CVE-2019-16409: Secureassets and versionedfiles modules can expose versions of protected files',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-16409/',
'cve' => 'CVE-2019-16409',
],
[
'title' => 'CVE-2019-19325: XSS through non-scalar FormField attributes',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-19325/',
'cve' => 'CVE-2019-19325',
],
[
'title' => 'CVE-2019-19326: Web Cache Poisoning through HTTPRequestBuilder',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2019-19326/',
'cve' => 'CVE-2019-19326',
],
[
'title' => 'CVE-2019-5715: Reflected SQL Injection through Form and DataObject',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-021',
'cve' => 'CVE-2019-5715',
],
[
'title' => 'CVE-2020-26138 FormField: with square brackets in field name skips validation',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2020-26138',
'cve' => 'CVE-2020-26138',
],
[
'title' => 'CVE-2020-6164: Information disclosure on /interactive URL path',
'link' => 'https://www.silverstripe.org/download/security-releases/cve-2020-6164/',
'cve' => 'CVE-2020-6164',
],
[
'title' => 'SS-2017-007: CSV Excel Macro Injection',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2017-007/',
'cve' => null,
],
[
'title' => 'SS-2017-008: SQL injection in full text search of SilverStripe 4',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2017-008/',
'cve' => null,
],
[
'title' => 'SS-2017-009: Users inadvertently passing sensitive data to LoginAttempt',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2017-009/',
'cve' => null,
],
[
'title' => 'SS-2017-010: install.php discloses sensitive data by pre-populating DB credential forms',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2017-010/',
'cve' => null,
],
[
'title' => 'SS-2018-001: Privilege Escalation Risk in Member Edit form',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-001/',
'cve' => null,
],
[
'title' => 'SS-2018-005: isDev and isTest unguarded',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-005/',
'cve' => null,
],
[
'title' => 'SS-2018-008: BackURL validation bypass with malformed URLs',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-008/',
'cve' => null,
],
[
'title' => 'SS-2018-010: Member disclosure in login form',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-010/',
'cve' => null,
],
[
'title' => 'SS-2018-012: Uploaded PHP script execution in assets',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-012/',
'cve' => null,
],
[
'title' => 'SS-2018-018: Database credentials disclosure during connection failure',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-018/',
'cve' => null,
],
[
'title' => 'SS-2018-019: Possible denial of service attack vector when flushing',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-019/',
'cve' => null,
],
[
'title' => 'SS-2018-020: Potential SQL vulnerability in PostgreSQL database connector',
'link' => 'https://www.silverstripe.org/download/security-releases/ss-2018-020/',
'cve' => null,
],
],
],
];

$securityCheckerMock = $this->getMockBuilder(SecurityChecker::class)->setMethods(['check'])->getMock();
$securityCheckerMock->expects($this->any())->method('check')->will($this->returnValue(
$empty ? new Result(0, '{}', 'json') : new Result(6, $mockOutput, 'json')
$empty ? [] : $mockOutput
));

return $securityCheckerMock;
Expand Down