search

antidot-framework / installer

BSD 2-Clause "Simplified" License
1 stars 1 forks source link

Insecure File Management in composer plugin #4

Closed kpicaza closed 4 years ago

kpicaza commented 4 years ago

:warning: We detected security issues in this pull request:

Insecure File Management (9) https://github.com/antidot-framework/installer/blob/e495073e54a878f4272d0d08467f9329914f5f8c/src/Template/Micro/FileStructure.php#L47 https://github.com/antidot-framework/installer/blob/e495073e54a878f4272d0d08467f9329914f5f8c/src/Template/Micro/FileStructure.php#L35 https://github.com/antidot-framework/installer/blob/e495073e54a878f4272d0d08467f9329914f5f8c/src/Template/ComposerJson.php#L41 https://github.com/antidot-framework/installer/blob/e495073e54a878f4272d0d08467f9329914f5f8c/src/Template/Micro/FileStructure.php#L53 https://github.com/antidot-framework/installer/blob/e495073e54a878f4272d0d08467f9329914f5f8c/src/ApplicationType/MicroAppInstaller.php#L58 https://github.com/antidot-framework/installer/blob/e495073e54a878f4272d0d08467f9329914f5f8c/src/ApplicationType/MicroAppInstaller.php#L57 https://github.com/antidot-framework/installer/blob/e495073e54a878f4272d0d08467f9329914f5f8c/src/Template/ComposerJson.php#L71 https://github.com/antidot-framework/installer/blob/e495073e54a878f4272d0d08467f9329914f5f8c/src/Template/Micro/FileStructure.php#L39 https://github.com/antidot-framework/installer/blob/e495073e54a878f4272d0d08467f9329914f5f8c/src/ApplicationType/MicroAppInstaller.php#L48 More info on how to fix Insecure File Management in [PHP](https://docs.guardrails.io/docs/en/vulnerabilities/php/Insecure_file_management.html?utm_source=ghpr).

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

Originally posted by @guardrails in https://github.com/antidot-framework/installer/pull/3#issuecomment-678761615

kpicaza commented 4 years ago

I don know how to manage this issue in this context, the program behavior requires to read and write in the local filesystem. the users have the ability to add the base path where they want to install source code, then once the generated application is ready this package is deleted and no more need in the application life. For the moment I disabled the @guardrails checks in the project, but this is a bad practice in my opinion. Some ideas?

Maybe using some filesystem library will help?

streichsbaer commented 4 years ago

Hi @kpicaza, I have taken a look at these issues, and in the context of an installation, there is not much that can be done here.

Also, given that this is a one time-activity, and the package is deleted afterwards, this further reduces the risk dramatically.

We are just about to launch the ability to mark these findings as "Won't fix" (amongst other states) in the dashboard, this way they won't keep showing up.

kpicaza commented 4 years ago

Hi @streichsbaer, Thanks for the response, let us know when the new feature is available to restore @guardrails security checks.