mirror of
https://github.com/shivammathur/setup-php.git
synced 2026-06-18 15:40:54 +07:00
GHSA-f9f8-rm49-7jv2: Fix GitHub auth handling for composer in affected versions
This commit is contained in:
Shivam Mathur
@@ -3,6 +3,7 @@ $composer_home = "$env:APPDATA\Composer"
|
||||
$composer_bin = "$composer_home\vendor\bin"
|
||||
$composer_json = "$composer_home\composer.json"
|
||||
$composer_lock = "$composer_home\composer.lock"
|
||||
$skip_composer_github_auth = $false
|
||||
|
||||
# Function to configure composer.
|
||||
Function Edit-ComposerConfig() {
|
||||
@@ -23,6 +24,7 @@ Function Edit-ComposerConfig() {
|
||||
if (-not(Test-Path $composer_json)) {
|
||||
Set-Content -Path $composer_json -Value "{}"
|
||||
}
|
||||
Get-ToolVersion "composer" $null | Out-Null
|
||||
Set-ComposerEnv
|
||||
Add-Path $composer_bin
|
||||
Set-ComposerAuth
|
||||
@@ -74,8 +76,18 @@ function Test-GitHubPublicAccess {
|
||||
}
|
||||
}
|
||||
|
||||
Function Write-ComposerGhAuthNoOpWarning() {
|
||||
$message = (Get-Content (Join-Path $src 'configs\composer-gh-auth-warn') -Raw).Trim().Replace('%s', $composer_version)
|
||||
if($env:fail_fast -eq 'true') {
|
||||
Add-Log "$cross" "composer" $message
|
||||
} else {
|
||||
Write-Output "::warning::$message"
|
||||
}
|
||||
}
|
||||
|
||||
# Function to setup authentication in composer.
|
||||
Function Set-ComposerAuth() {
|
||||
$token = if ($env:COMPOSER_TOKEN) { $env:COMPOSER_TOKEN } else { $env:GITHUB_TOKEN }
|
||||
if(Test-Path env:COMPOSER_AUTH_JSON) {
|
||||
if(Test-Json -JSON $env:COMPOSER_AUTH_JSON) {
|
||||
Set-Content -Path $composer_home\auth.json -Value $env:COMPOSER_AUTH_JSON
|
||||
@@ -83,13 +95,18 @@ Function Set-ComposerAuth() {
|
||||
Add-Log "$cross" "composer" "Could not parse COMPOSER_AUTH_JSON as valid JSON"
|
||||
}
|
||||
}
|
||||
if($skip_composer_github_auth) {
|
||||
Write-ComposerGhAuthNoOpWarning
|
||||
}
|
||||
$composer_auth = @()
|
||||
if(Test-Path env:PACKAGIST_TOKEN) {
|
||||
$composer_auth += '"http-basic": {"repo.packagist.com": { "username": "token", "password": "' + $env:PACKAGIST_TOKEN + '"}}'
|
||||
}
|
||||
$write_token = $true
|
||||
$token = if ($env:COMPOSER_TOKEN) { $env:COMPOSER_TOKEN } else { $env:GITHUB_TOKEN }
|
||||
if ($token) {
|
||||
if ($skip_composer_github_auth) {
|
||||
$write_token = $false
|
||||
}
|
||||
if ($env:GITHUB_SERVER_URL -ne "https://github.com" -and -not(Test-GitHubPublicAccess $token)) {
|
||||
$write_token = $false
|
||||
}
|
||||
@@ -210,8 +227,13 @@ Function Add-Tool() {
|
||||
[ValidateNotNull()]
|
||||
$tool,
|
||||
[Parameter(Position = 2, Mandatory = $false)]
|
||||
$ver_param
|
||||
$ver_param,
|
||||
[Parameter(Position = 3, Mandatory = $false)]
|
||||
$skip_composer_github_auth
|
||||
)
|
||||
if($tool -eq "composer") {
|
||||
$script:skip_composer_github_auth = $skip_composer_github_auth -eq 'true'
|
||||
}
|
||||
$urls = $urls -split ','
|
||||
$tool_path = "$bin_dir\$tool"
|
||||
$is_exe = ((($urls[0] | Split-Path -Extension).ToLowerInvariant()) -eq '.exe')
|
||||
|
||||
@@ -3,6 +3,7 @@ export composer_home="$HOME/.composer"
|
||||
export composer_bin="$composer_home/vendor/bin"
|
||||
export composer_json="$composer_home/composer.json"
|
||||
export composer_lock="$composer_home/composer.lock"
|
||||
skip_composer_github_auth=false
|
||||
|
||||
# Function to extract tool version.
|
||||
get_tool_version() {
|
||||
@@ -41,6 +42,7 @@ configure_composer() {
|
||||
echo '{}' | tee "$composer_json" >/dev/null
|
||||
chmod 644 "$composer_json"
|
||||
fi
|
||||
get_tool_version composer >/dev/null
|
||||
set_composer_env
|
||||
add_path "$composer_bin"
|
||||
set_composer_auth
|
||||
@@ -70,22 +72,39 @@ can_access_public_github() {
|
||||
curl --fail -s -H "Authorization: token $1" 'https://api.github.com/' >/dev/null 2>&1
|
||||
}
|
||||
|
||||
composer_gh_auth_no_op() {
|
||||
local message
|
||||
message="$(<"${src:?}"/configs/composer-gh-auth-warn)"
|
||||
message="${message//%s/$composer_version}"
|
||||
if [ "${fail_fast:-false}" = "true" ]; then
|
||||
add_log "${cross:?}" "composer" "$message"
|
||||
else
|
||||
echo "::warning::$message"
|
||||
fi
|
||||
}
|
||||
|
||||
# Function to setup authentication in composer.
|
||||
set_composer_auth() {
|
||||
if [ -n "$COMPOSER_AUTH_JSON" ]; then
|
||||
if php -r "json_decode('$COMPOSER_AUTH_JSON'); if(json_last_error() !== JSON_ERROR_NONE) { throw new Exception('invalid json'); }"; then
|
||||
echo "$COMPOSER_AUTH_JSON" | tee "$composer_home/auth.json" >/dev/null
|
||||
token="${COMPOSER_TOKEN:-$GITHUB_TOKEN}"
|
||||
if [ -n "${COMPOSER_AUTH_JSON:-}" ]; then
|
||||
if printf '%s' "$COMPOSER_AUTH_JSON" | jq -e . >/dev/null; then
|
||||
printf '%s' "$COMPOSER_AUTH_JSON" | tee "$composer_home/auth.json" >/dev/null
|
||||
else
|
||||
add_log "${cross:?}" "composer" "Could not parse COMPOSER_AUTH_JSON as valid JSON"
|
||||
fi
|
||||
fi
|
||||
if [ "$skip_composer_github_auth" = "true" ]; then
|
||||
composer_gh_auth_no_op
|
||||
fi
|
||||
composer_auth=()
|
||||
if [ -n "$PACKAGIST_TOKEN" ]; then
|
||||
composer_auth+=( '"http-basic": {"repo.packagist.com": { "username": "token", "password": "'"$PACKAGIST_TOKEN"'"}}' )
|
||||
fi
|
||||
token="${COMPOSER_TOKEN:-$GITHUB_TOKEN}"
|
||||
if [ -n "$token" ]; then
|
||||
write_token=true
|
||||
if [ "$skip_composer_github_auth" = "true" ]; then
|
||||
write_token=false
|
||||
fi
|
||||
if [ "$GITHUB_SERVER_URL" != "https://github.com" ]; then
|
||||
can_access_public_github "$token" || write_token=false
|
||||
fi
|
||||
@@ -182,6 +201,9 @@ add_tool() {
|
||||
url=$1
|
||||
tool=$2
|
||||
ver_param=$3
|
||||
if [ "$tool" = "composer" ]; then
|
||||
skip_composer_github_auth="${4:-false}"
|
||||
fi
|
||||
tool_path="$tool_path_dir/$tool"
|
||||
if ! [ -d "$tool_path_dir" ]; then
|
||||
sudo mkdir -p "$tool_path_dir"
|
||||
|
||||
Reference in New Issue
Block a user