Merge pull request #6 from magento-cia/AC-970

nathanjosiah · web-flow · commit 48072fd727a0 · 2021-11-04T13:21:05.000-05:00
AC-970: Adjusting dependency confusion behavior
diff --git a/composer.json b/composer.json
@@ -2,7 +2,7 @@
   "name": "magento/composer-dependency-version-audit-plugin",
   "type": "composer-plugin",
   "description": "Validating packages through a composer plugin",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "license": [
     "OSL-3.0"
   ],
diff --git a/src/Plugin.php b/src/Plugin.php
@@ -9,12 +9,16 @@
 
 use Composer\Composer;
 use Composer\DependencyResolver\Operation\OperationInterface;
+use Composer\DependencyResolver\Request;
 use Composer\EventDispatcher\EventSubscriberInterface;
 use Composer\Installer;
 use Composer\Installer\PackageEvent;
 use Composer\IO\IOInterface;
+use Composer\Plugin\PluginEvents;
 use Composer\Plugin\PluginInterface;
+use Composer\Plugin\PrePoolCreateEvent;
 use Composer\Repository\ComposerRepository;
+use Composer\Repository\FilterRepository;
 use Composer\Repository\RepositoryInterface;
 use Composer\Package\PackageInterface;
 use Exception;
@@ -41,6 +45,11 @@ class Plugin implements PluginInterface, EventSubscriberInterface
      */
     private $versionSelector;
 
+    /**
+     * @var array
+     */
+    private $nonFixedPackages;
+
     /**#@+
      * Constant for VBE ALLOW LIST
      */
@@ -99,10 +108,81 @@ public function uninstall(Composer $composer, IOInterface $io)
      */
     public static function getSubscribedEvents(): array
     {
-        return [
+        $events = [
             Installer\PackageEvents::PRE_PACKAGE_INSTALL => 'packageUpdate',
             Installer\PackageEvents::PRE_PACKAGE_UPDATE => 'packageUpdate'
         ];
+
+        if ((int)explode('.', Composer::VERSION)[0] === 2) {
+            $events[PluginEvents::PRE_POOL_CREATE] = 'prePoolCreate';
+        }
+
+        return $events;
+    }
+
+    /**
+     * Get all package installations that use non-fixed version constraints (IE: 2.4.*, ^2.4, etc.)
+     * this needs to be done for Composer V1 installs since prePoolCreate event doesn't exist in V1
+     *
+     * @param Request $request
+     * @return array
+     */
+    private function getNonFixedConstraintList(Request $request): array
+    {
+        if (!$this->nonFixedPackages) {
+            $constraintList = [];
+            foreach ($request->getJobs() as $job) {
+                if ($job['cmd'] === 'install' &&
+                    (strpbrk($job['constraint']->getPrettyString(), "*^-~") ||
+                        preg_match('{(?<!^|as|[=>< ,]) *(?<!-)[, ](?!-) *(?!,|as|$)}', $job['constraint']->getPrettyString()
+                        )
+                    )
+                ) {
+                    $constraintList[$job['packageName']] = true;
+                }
+            }
+            $this->nonFixedPackages = $constraintList;
+        }
+        return $this->nonFixedPackages;
+    }
+
+    /**
+     * Event listener for PrePoolCreate event that is used for composer V2
+     *
+     * @param PrePoolCreateEvent $event
+     */
+    public function prePoolCreate(PrePoolCreateEvent $event): void
+    {
+        if (!$this->nonFixedPackages) {
+            $constraintList = [];
+
+            /**
+             * get all packages that are in the composer.json under require section, this will be the only time
+             * we will be able to get constraints for packages in the require section as this request data isn't
+             * shared in the installer event on composer v2
+             */
+            foreach ($event->getRequest()->getRequires() as $name => $constraint) {
+                $prettyString = $constraint->getPrettyString();
+                $multiConstraint = preg_match('{(?<!^|as|[=>< ,]) *(?<!-)[, ](?!-) *(?!,|as|$)}', $prettyString);
+                if (strpbrk($prettyString, "*^-~") || $multiConstraint){
+                    $constraintList[$name] = true;
+                }
+            }
+
+            /**
+             * get all sub packages that are now requirements for new packages to install and store their constraints.
+             */
+            foreach ($event->getPackages() as $package) {
+                foreach ($package->getRequires() as $name => $constraint) {
+                    $prettyConstraint = $constraint->getPrettyConstraint();
+                    $multiConstraint = preg_match('{(?<!^|as|[=>< ,]) *(?<!-)[, ](?!-) *(?!,|as|$)}', $prettyConstraint);
+                    if (strpbrk($prettyConstraint, "*^-~")|| $multiConstraint)
+                        $constraintList[$name] = true;
+                }
+            }
+
+            $this->nonFixedPackages = $constraintList;
+        }
     }
 
     /**
@@ -130,34 +210,44 @@ public function packageUpdate(PackageEvent $event): void
         list($namespace, $project) = explode("/", $packageName);
         $isPackageVBE = in_array($namespace, self::VBE_ALLOW_LIST, true);
 
-        if(!$isPackageVBE) {
+        if ((int)explode('.', Composer::VERSION)[0] === 1) {
+            $this->getNonFixedConstraintList($event->getRequest());
+        }
 
+        if(!$isPackageVBE) {
             foreach ($this->composer->getRepositoryManager()->getRepositories() as $repository) {
-
+                $found = $this->versionSelector->findBestCandidate($this->composer, $packageName, $repository);
                 /** @var RepositoryInterface $repository */
                 if ($repository instanceof ComposerRepository) {
-                    $found = $this->versionSelector->findBestCandidate($this->composer, $packageName, $repository);
                     $repoUrl = $repository->getRepoConfig()['url'];
 
-                    if ($found) {
-                        if (strpos($repoUrl, self::URL_REPO_PACKAGIST) !== false) {
-                            $publicRepoVersion = $found->getFullPrettyVersion();
-                        } else {
-                            $currentPrivateRepoVersion = $found->getFullPrettyVersion();
-                            //private repo version should hold highest version of package
-                            if (empty($privateRepoVersion) || version_compare($currentPrivateRepoVersion, $privateRepoVersion, '>')) {
-                                $privateRepoVersion = $currentPrivateRepoVersion;
-                                $privateRepoUrl = $repoUrl;
-                            }
+                } else if ($repository instanceof FilterRepository) {
+                    $repoUrl = $repository->getRepository()->getRepoConfig()['url'];
+                }
+                if ($found) {
+                    if (strpos($repoUrl, self::URL_REPO_PACKAGIST) !== false) {
+                        $publicRepoVersion = $found->getFullPrettyVersion();
+                    } else {
+                        $currentPrivateRepoVersion = $found->getFullPrettyVersion();
+                        //private repo version should hold highest version of package
+                        if (empty($privateRepoVersion) || version_compare($currentPrivateRepoVersion, $privateRepoVersion, '>')) {
+                            $privateRepoVersion = $currentPrivateRepoVersion;
+                            $privateRepoUrl = $repoUrl;
                         }
                     }
                 }
             }
-            if ($privateRepoVersion && $publicRepoVersion && (version_compare($publicRepoVersion, $privateRepoVersion, '>'))) {
+
+            if ($privateRepoVersion && $publicRepoVersion && version_compare($publicRepoVersion, $privateRepoVersion, '>')) {
                 $exceptionMessage = "Higher matching version {$publicRepoVersion} of {$packageName} was found in public repository packagist.org 
                              than {$privateRepoVersion} in private {$privateRepoUrl}. Public package might've been taken over by a malicious entity, 
                              please investigate and update package requirement to match the version from the private repository";
-                throw new Exception($exceptionMessage);
+
+                if ($this->nonFixedPackages && array_key_exists($packageName, $this->nonFixedPackages)) {
+                    throw new Exception($exceptionMessage);
+                } else {
+                    $event->getIO()->writeError('<warning>' . $exceptionMessage . '</warning>');
+                }
             }
         }
     }
diff --git a/src/Utils/Version.php b/src/Utils/Version.php
@@ -38,8 +38,6 @@ public function findBestCandidate(Composer $composer, string $packageName, Repos
             $bestCandidate = $this->findBestCandidateComposer1($composer, $packageName, $repository);
         } elseif ($composerMajorVersion === 2) {
             $bestCandidate = $this->findBestCandidateComposer2($composer, $packageName, $repository);
-        } else {
-            throw new Exception("Unrecognized Composer Version");
         }
 
         if($bestCandidate instanceof PackageInterface){
diff --git a/tests/Unit/Magento/ComposerDependencyVersionAuditPlugin/PluginTest.php b/tests/Unit/Magento/ComposerDependencyVersionAuditPlugin/PluginTest.php

Original file line number	Diff line number	Diff line change
`@@ -38,8 +38,6 @@ public function findBestCandidate(Composer $composer, string $packageName, Repos`
`38`	`38`	`$bestCandidate = $this->findBestCandidateComposer1($composer, $packageName, $repository);`
`39`	`39`	`} elseif ($composerMajorVersion === 2) {`
`40`	`40`	`$bestCandidate = $this->findBestCandidateComposer2($composer, $packageName, $repository);`
`41`		`- } else {`
`42`		`- throw new Exception("Unrecognized Composer Version");`
`43`	`41`	`}`
`44`	`42`
`45`	`43`	`if($bestCandidate instanceof PackageInterface){`