puppet-php icon indicating copy to clipboard operation
puppet-php copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

no validation done during phpunit install

Open lelutin opened this issue 4 years ago • 0 comments

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 5.5.10 (not super relevant for this case)
  • Ruby:
  • Distribution: Debian
  • Module version: master and older

What are you seeing

The php::phpunit class is using wget to download phpunit.phar but no validation/authenticity verification is done after the download. The downloaded file is then executed by puppet as root on servers with an exec resource.

This could lead to security issues.

What behaviour did you expect instead

Some kind of fingerprint validation would help in ensuring that the downloaded files were not tampered with.

On debian, it could also be possible to install phpunit with distribution packages. They wouldn't be upstream's latest version but debian packages do offer authenticity validation by default.

lelutin avatar Dec 26 '19 19:12 lelutin