search

webksde / ddev-vscode-devcontainer-drupal-template

Drupal DDEV based development container with attached Visual Studio Code
23 stars 3 forks source link

Allow necessary composer plugins to execute code on startup without manually allowing them. #77

Closed joshsedl closed 2 years ago

joshsedl commented 2 years ago

EXAMPLE: "Do you trust "dealerdirect/phpcodesniffer-composer-installer" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?]"

JPustkuchen commented 2 years ago

Thank you @joshsedl. This should not be skipped, as it's an important security feature to only allow listed plugins to run.

Instead, add the known, whitelisted ones to the composer.json in general before.

joshsedl commented 2 years ago

I know this is an important security feature, I meant allowing the composer packages we need to execute code, to do so

joshsedl commented 2 years ago

Ok, currently this should not be implemented, because there is no proper command to allow the plugins.

The problem is, that we cannot set the allowed plugins on startup. Using composer config will not do anything, because we would need to set all values after creating the composer.json. Since we create the composer.json, using composer create -y 'drupal/recommended-project', we already need to allow plugins during setup, so defining the allowed plugins after initialization will not fix the first few prompts for 'drupal/recommended-project'.

Another workaround would be to call all composer methods with -n or --no-interaction. The problem with this is, that this will be deprecated July 2022 and all methods called like this will have the according plugins automatically disallowed:

For additional security you should declare the allow-plugins config with a list of packages names that are allowed to run code. See https://getcomposer.org/allow-plugins You have until July 2022 to add the setting. Composer will then switch the default behavior to disallow all plugins.

JPustkuchen commented 2 years ago

One possible workaround could be to provide a template composer file, which already allows this. But quite strange, others should also have the problem in CI / CD...

Or we need to use a different strategy here in general.

joshsedl commented 2 years ago

Our strategy is good, we just need to wait for https://www.drupal.org/project/drupal/issues/3255749 to be solved, and then add all our additional startup composer packages to the "allow-plugins" section, via composer config. 👍

joshsedl commented 2 years ago

Very nice! https://www.drupal.org/project/drupal/issues/3255749 is fixed! Allowing the remaining composer packages in our startup script...