Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security concerns with using Composer Install in production environment

I am trying to design a deployment process for an enterprise level application. I have heard conflicting opinions on whether Composer can be used in the production environment.

I understand that running composer update would be a mistake since you can pull in untested versions. Instead in production it is recommend that only composer install is used.

So that being said, my biggest concern is security. How easy is man in the middle attack possible. Is it possible if packagist gets hacked that we can pull down hacked code?

I don't want to have a manual process in place where each time I deploy I have to manually bring the vendor file over. Currently Jenkins will move the source files to production. I don't want to version control the vendor folder if at all possible.

  1. Should I actually be concerned about security if I use composer install.
  2. If I don't use composer in production, how do you suggest I deploy vendor files?
like image 478
Roeland Avatar asked Oct 07 '14 22:10

Roeland


People also ask

Is composer secure?

Supply Chain Security Update: How Secure is Composer? When it comes to PHP, composer is without discussion, THE package manager. It's fast, easy to use, actively maintained and very secure — or so most thought. On April 21, 2021, a command injection vulnerability was reported, which shook the PHP community.

Is it safe to run composer as superuser or root?

Plugins and scripts have full access to the user account which runs Composer. For this reason, it is strongly advised to avoid running Composer as super-user/root.

Do I need composer on production?

However, composer is just a helper utility. You don't NEED it at all. If you wish to continue without composer, you can git push EVERYTHING including the vendor folder to git, and deploy that to production without requiring composer on the production server.

What does composer install do?

composer install is primarily used in the 'deploying phase' to install our application on a production server or on a testing environment, using the same dependencies stored in the composer. lock file created by composer update .


1 Answers

Yes, you should be concerned and try to understand which data transports are involved.

The current implementation of Composer does use a lot of checksums internally, but there is no package signing involved, so anything that gets downloaded during composer install might be potentially any software depending on which servers hosting either the software repository or TGZ/ZIPs, or are asked about metadata, are a valid target that could be tampered with to affect what you'd install.

Note however that this isn't only related to security. If you depend on the software packages being installable during your production deployment, it is even more likely that any of the mentioned servers is offline. How would you protect your deployment against any server outages of third party software hosting? The answer to this question is pretty simple: Host the software locally.

And this answer will also affect the security question: If you host the software packages locally, you can also audit these versions before making them available internally. Depending on which level of security you need, you'd either check every single version you get, and restrict the available versions to only the few you are able to check, or you might create a more generous way of asserting that the software you get is fetched from the original Git repository, and create the ZIP version of the software locally (ZIPs are more convenient if you don't intend to further develop the packages IMO).

There are only two software products known that may help here: Toran Proxy is a commercial product from Jordi Boggiano (one of the Composer core developers) that is supposed to also help fund the development of Composer and the infrastructure. The other software is Satis, which also allows creating local copies of the packages you use.

Disclaimer: My answer probably does not get into the finer details, and may present some details too brief or possibly wrong. It is not meant to address every security detail, but rather give a broad overview. The security and authenticity checking of software packages is one topic being in discussion for quite some time (see https://github.com/composer/composer/issues/38 for example), but without any result so far.

like image 102
Sven Avatar answered Oct 21 '22 13:10

Sven