search

danielmarschall / oidplus

OIDplus 2.0 - An OpenSource online Registration Authority for OIDs and other Object Types
https://www.oidplus.com
Apache License 2.0
10 stars 6 forks source link

firebase/php-jwt <6 security issues? #46

Closed wehowski closed 4 months ago

wehowski commented 4 months ago

Keine Alarmmeldung oder so, nur ein Beitrag zur Info!

- Root composer.json requires firebase/php-jwt ^5.2 -> satisfiable by firebase/php-jwt[v5.2.0, ..., v5.5.1].
- roave/security-advisories dev-latest conflicts with firebase/php-jwt <6.
- Root composer.json requires roave/security-advisories dev-latest -> satisfiable by roave/security-advisories[dev-latest].

Hallo Daniel, obige Meldung kommt von roave/security-advisories über firebase/php-jwt <6. Kannst Du (langfristig wenn mal Zeit ist, nicht so super wichtig) aus (in composer.json) dem "repositories" member ein Array machen (nur Array, OHNE die repositories zu ändern wie ich unten getan habe ggf.)? (s.u.)

Um Gehrinwackelpudding loszuwerden möchte ich mich heute Nachmittag mit 2 bis 3 kleineren Erweiterungen an 2 bis 3 meiner OIDplus-Plugins setzen die ich schon länger geplant hatte und um den Rahmen nicht mit neuen Innovationen zu sprengen. Dazu habe ich die aktuelle composer.json wie unten angehängt bearbeitet, da kommt die Meldung her. Viele Grüße, melde mich...

{
    "name": "danielmarschall/oidplus",
    "description": "OIDplus 2.0",
    "version": "2.0",
    "type": "project",
    "homepage": "https://www.oidplus.com/",
    "authors": [
        {
            "name": "Daniel Marschall",
            "email": "info@daniel-marschall.de",
            "homepage": "https://www.daniel-marschall.de/"
        }
    ],
    "license": [
        "Apache-2.0"
    ],
    "prefer-dist": true,
    "minimum-stability": "dev",
    "config": {
        "optimize-autoloader" : true,
        "classmap-authoritative" : false, 
        "prepend-autoloader": true, 
        "cache-files-ttl": 120, 
        "secure-http": false,
        "preferred-install": "auto",
        "autoloader-suffix": "OidPlusComposer",
        "allow-plugins": {
          "danielmarschall/*": true,
          "airmad/*": true,
          "civicrm/*": true,
          "composer/*": true,
          "frdl/*": true,
          "kylekatarnls/update-helper": true,
          "vendor-patch/composer-custom-directory-installer": true,
          "vendor-patch/composer-installers-extender": true,
          "frdl/oiplus-composer-plugin": true,
          "smoren/mushroom-hook-manager": true,
          "composer/installers": true,
          "oomphinc/composer-installers-extender": true
        }   
    },      
  "require-dev": {
    "roave/security-advisories": "dev-latest"
  },    
   "extra": { 
     "compile-mode" : "all",
     "merge-plugin": {                  
            "include": [
                "plugins/*/*/*/composer.json",
                "composer.json"
            ],
            "require": [            
                "composer.json"
            ],
            "recurse": true,
            "replace": false,
            "ignore-duplicates": false,
            "merge-dev": true,
            "merge-extra": true,
            "merge-extra-deep": true,
            "merge-scripts": true
    },

        "installer-types": [ 
            "oiplus-plugin-public-pages",
            "oiplus-plugin-rap-ages",
            "oiplus-plugin-admin-pages",
            "oiplus-plugin-auth",
            "oiplus-plugin-database",
            "oiplus-plugin-sql-slang",
            "oiplus-plugin-logger",
            "oiplus-plugin-object-types",
            "oiplus-plugin-language",
            "oiplus-plugin-design",
            "oiplus-plugin-captcha",
            "project",
            "library"
        ],
   "installer-paths": {
            "vendor/{$vendor}/{$name}/":             [
                "type:library",
                "type:project"
            ],

            "plugins/{$vendor}/publicPages/{$name}/":              [
                "type:oiplus-plugin-public-pages"
            ],
            "plugins/{$vendor}/raPages/{$name}/": [
                "type:oiplus-plugin-ra-pages"
            ],
            "plugins/{$vendor}/adminPages/{$name}/":             [
                "type:oiplus-plugin-admin-pages"
            ],
            "plugins/{$vendor}/auth/{$name}/": [
                "type:oiplus-plugin-auth"
            ],
            "plugins/{$vendor}/database/{$name}/": [
                "type:oiplus-plugin-database"
            ],
            "plugins/{$vendor}/sqlSlang/{$name}/": [
                "type:oiplus-plugin-sql-slang"
            ],
            "plugins/{$vendor}/logger/{$name}/": [
                "type:oiplus-plugin-logger"
            ],
            "plugins/{$vendor}/objectTypes/{$name}/": [
                "type:oiplus-plugin-object-types"
            ],
            "plugins/{$vendor}/language/{$name}/": [
                "type:oiplus-plugin-language"
            ],
            "plugins/{$vendor}/design/{$name}/": [
                "type:oiplus-plugin-design"
            ],
            "plugins/{$vendor}/captcha/{$name}/": [
                "type:oiplus-plugin-captcha"
            ]
        },

        "dependency-scripts": {
            "run": true,
            "trust": [
                "danielmarschall\/*",
                "airmad\/*",
                "composer\/*",
                "symfony\/*",
                "frdl\/*",
                "webfan3\/*",
                "wehowski\/*",
                "vendor-patch\/*",
                "smoren\/mushroom-hook-manager",
                "oomphinc\/composer-installers-extender"
            ],
            "exclude": [],
            "types": [ 
            "oiplus-plugin-public-pages",
            "oiplus-plugin-rap-ages",
            "oiplus-plugin-admin-pages",
            "oiplus-plugin-auth",
            "oiplus-plugin-database",
            "oiplus-plugin-sql-slang",
            "oiplus-plugin-logger",
            "oiplus-plugin-object-types",
            "oiplus-plugin-language",
            "oiplus-plugin-design",
            "oiplus-plugin-captcha",
            "project",
            "library"
            ]
        }
  },        
    "repositories": [       
        {
            "type": "composer", 
            "url": "https://oidplus-plugins.repo.pkg.dev.frdl.de"
        },
         {
            "type": "package",
            "packagist.org": false,
            "package": {
                "name": "emn178/js-sha3",
                "version": "master",
                "license": [
                    "MIT"
                ],
                "source": {
                    "url": "https://github.com/emn178/js-sha3",
                    "type": "git",
                    "reference": "master"
                }
            }
        },
         {
            "type": "package",
            "packagist.org": false,
            "package": {
                "name": "gedmarc/layout",
                "version": "master",
                "license": [
                    "GPL-3.0-or-later",
                    "MIT"
                ],
                "source": {
                    "url": "https://github.com/GedMarc/layout",
                    "type": "git",
                    "reference": "master"
                }
            }
        },
        {
            "type": "package",
            "packagist.org": false,
            "package": {
                "name": "dcodeio/bcrypt.js",
                "version": "master",
                "license": [
                    "BSD-3-Clause",
                    "MIT"
                ],
                "source": {
                    "url": "https://github.com/dcodeIO/bcrypt.js",
                    "type": "git",
                    "reference": "master"
                }
            }
        },
         {
            "type": "package",
            "packagist.org": false,
            "package": {
                "name": "script47/bs5-utils",
                "version": "master",
                "license": [
                    "MIT"
                ],
                "source": {
                    "url": "https://github.com/Script47/bs5-utils",
                    "type": "git",
                    "reference": "master"
                }
            }
        },
         {
            "type": "package",
            "packagist.org": false,
            "package": {
                "name": "spamspan/spamspan",
                "version": "master",
                "license": "GPL-2.0-only",
                "dist": {
                    "url": "http://www.spamspan.com/releases/spamspan-latest.zip",
                    "type": "zip",
                    "reference": "master"
                }
            }
        }
    ],  
    "require": {
        "php": ">=7.0",

        "frdl/oiplus-composer-plugin" : ">=1.0.4",   

        "frdl/oidplus-io4-bridge-plugin" : ">=v0.0.4",      

       "knplabs/packagist-api" : "*",
       "frdl/composer-adapter" : "*",
       "frdl/event-module" : "*",   
       "yosymfony/resource-watcher" : "*",
       "frdl/iana-enterprise-numbers-fetcher" : "*",
       "hazaveh/verify-domain" : "*",

        "components/jquery": "^3.5",
        "components/jqueryui": "^1.12",
        "matthiasmullie/minify": "^1.3",
        "firebase/php-jwt": "*",
        "tinymce/tinymce": "^5.8",
        "dcodeio/bcrypt.js": "*@dev",
        "danielmarschall/vnag": "*@dev",
        "danielmarschall/uuid_mac_utils": "*@dev",
        "danielmarschall/php_utils": "*@dev",
        "danielmarschall/fileformats": "*@dev",
        "danielmarschall/oidconverter": "*@dev",
        "spamspan/spamspan": "*@dev",
        "vakata/jstree": "^3.3",
        "twbs/bootstrap": "^5.0",
        "symfony/polyfill-mbstring": "<=1.19",
        "gedmarc/layout": "*@dev",
        "emn178/js-sha3": "*@dev",
        "danielmarschall/php-sha3": "*@dev",
        "tweeb/tinymce-i18n": "^2.0",
        "phpseclib/phpseclib": "~3.0",
        "script47/bs5-utils": "*",
        "danielmarschall/glip": "0.1.3.x-dev",
        "ext-json": "*",
        "spomky-labs/php-punycode": "dev-master"
    },
    "scripts": {
        "post-update-cmd": [
            "curl https://curl.se/ca/cacert.pem -L -sS -o vendor/cacert.pem",
            "echo 'Options -Indexes' > vendor/.htaccess",
            "touch vendor/index.html"
        ],
        "post-install-cmd": [
            "curl https://curl.se/ca/cacert.pem -L -sS -o vendor/cacert.pem",
            "echo 'Options -Indexes' > vendor/.htaccess",
            "touch vendor/index.html"
        ]
    }
}
wehowski commented 4 months ago

Damit die Meldung nicht erscheint habe ich im Prinzip nur geändert:

"firebase/php-jwt": "*",

Ich denke nicht das es große Auswirkungen auf OIDplus hat, hab aber noch nicht alles komplett getestet.

Das ist der zugehörige security report: https://security.snyk.io/vuln/SNYK-PHP-FIREBASEPHPJWT-2434829

danielmarschall commented 4 months ago

Das Problem ist, dass OIDplus dann nicht mehr mit PHP 7.0 kompatibel ist.

Von Snyk halte ich überhaupt nix. 99% der "Warnungen" und "Sicherheitslücken" ist nur Blödsinn und Falschmeldung.

Auch der beschriebene JWT Bug trifft auf uns nicht zu.

wehowski commented 4 months ago

Ok, vielleicht hast Du recht.

Ich schließe das mal!?

wehowski commented 4 months ago

Noch zum Nachtrag: Die Meldung kam aber NICHT von snyk das habe ich nur gegoogelt. Die Meldung kam von dem Package: "roave/security-advisories" https://github.com/Roave/SecurityAdvisories

Wie auch immer. Das mit PHP 7 hatte ich nicht getestet, sorry!