puppet-php
puppet-php copied to clipboard
no validation done during phpunit install
Affected Puppet, Ruby, OS and module versions/distributions
- Puppet: 5.5.10 (not super relevant for this case)
- Ruby:
- Distribution: Debian
- Module version: master and older
What are you seeing
The php::phpunit
class is using wget
to download phpunit.phar but no validation/authenticity verification is done after the download. The downloaded file is then executed by puppet as root on servers with an exec
resource.
This could lead to security issues.
What behaviour did you expect instead
Some kind of fingerprint validation would help in ensuring that the downloaded files were not tampered with.
On debian, it could also be possible to install phpunit with distribution packages. They wouldn't be upstream's latest version but debian packages do offer authenticity validation by default.