puppet-php
puppet-php copied to clipboard
no validation done during composer install
Affected Puppet, Ruby, OS and module versions/distributions
- Puppet: 5.5.10 (not super relevant for this case)
- Ruby:
- Distribution: Debian
- Module version: master and older
What are you seeing
The php::composer
class is using the archive
module to download composer.phar
but no validation/authenticity verification is done after the download. The downloaded file is then executed by puppet as root on servers with an exec
resource.
This could lead to security issues.
What behaviour did you expect instead
Some kind of fingerprint validation would help in ensuring that the downloaded files were not tampered with.
On debian, it could also be possible to install composer with distribution packages. They wouldn't be upstream's latest version but debian packages do offer authenticity validation by default.