在生产环境中使用Composer Install的安全问题 [英] Security concerns with using Composer Install in production environment
问题描述
我正在尝试为企业级应用程序设计部署过程。我听说过有关Composer是否可以在生产环境中使用的意见。
I am trying to design a deployment process for an enterprise level application. I have heard conflicting opinions on whether Composer can be used in the production environment.
我知道运行 composer更新这是一个错误,因为您可以引入未经测试的版本。建议在生产中使用 composer install 。
I understand that running composer update would be a mistake since you can pull in untested versions. Instead in production it is recommend that only composer install is used.
因此,我最大的担心是安全。人在中间攻击中有多容易。如果packagist被黑客入侵,我们可以删除被黑客入侵的代码吗?
So that being said, my biggest concern is security. How easy is man in the middle attack possible. Is it possible if packagist gets hacked that we can pull down hacked code?
我不想在每次部署时都需要一个手动流程手动带来供应商文件。目前,詹金斯(Jenkins)会将源文件移至生产环境。我完全不想对供应商文件夹进行版本控制。
I don't want to have a manual process in place where each time I deploy I have to manually bring the vendor file over. Currently Jenkins will move the source files to production. I don't want to version control the vendor folder if at all possible.
- 如果使用
composer install,我真的应该担心安全性。 li>
- 如果在生产中不使用composer,您如何建议我部署供应商文件?
- Should I actually be concerned about security if I use
composer install. - If I don't use composer in production, how do you suggest I deploy vendor files?
推荐答案
是的,您应该关注并尝试了解涉及哪些数据传输。
Yes, you should be concerned and try to understand which data transports are involved.
Composer的当前实现确实使用了内部有很多校验和,但是没有包签名,因此在 composer安装期间下载的任何东西都可能是任何软件,具体取决于托管软件库或TGZ的服务器/ ZIP或被询问有关元数据的有效目标,可能会被篡改以影响您要安装的内容。
The current implementation of Composer does use a lot of checksums internally, but there is no package signing involved, so anything that gets downloaded during composer install might be potentially any software depending on which servers hosting either the software repository or TGZ/ZIPs, or are asked about metadata, are a valid target that could be tampered with to affect what you'd install.
但是请注意,这不仅与安全。如果您依赖在生产部署期间可安装的软件包,则上述任何服务器很可能都处于脱机状态。您如何保护您的部署不受第三方软件托管的任何服务器故障的影响?这个问题的答案非常简单:在本地托管软件。
Note however that this isn't only related to security. If you depend on the software packages being installable during your production deployment, it is even more likely that any of the mentioned servers is offline. How would you protect your deployment against any server outages of third party software hosting? The answer to this question is pretty simple: Host the software locally.
这个答案也将影响安全性问题:如果您在本地托管软件包,则还可以在内部使用这些版本之前对其进行审核。根据您需要的安全级别,您可以检查获得的每个版本,并将可用版本限制为只能检查的几个版本,或者可以使用更慷慨的方式断言所获得的软件是从原始的Git存储库中提取的,并在本地创建该软件的ZIP版本(如果您不打算进一步开发IMO包,则使用ZIP更为方便)。
And this answer will also affect the security question: If you host the software packages locally, you can also audit these versions before making them available internally. Depending on which level of security you need, you'd either check every single version you get, and restrict the available versions to only the few you are able to check, or you might create a more generous way of asserting that the software you get is fetched from the original Git repository, and create the ZIP version of the software locally (ZIPs are more convenient if you don't intend to further develop the packages IMO).
只有两种已知的软件产品可以在此提供帮助:Toran Proxy是Jordi Boggiano(Composer的核心开发人员之一)的商业产品,应该也可以为Composer和基础架构的开发提供资金。另一个软件是Satis,它还允许创建您使用的软件包的本地副本。
There are only two software products known that may help here: Toran Proxy is a commercial product from Jordi Boggiano (one of the Composer core developers) that is supposed to also help fund the development of Composer and the infrastructure. The other software is Satis, which also allows creating local copies of the packages you use.
免责声明:我的回答可能没有涉及到更详细的细节,并且可能会提出一些细节。细节太简短或可能错误。它并不是要解决每个安全细节,而是要提供广泛的概述。软件包的安全性和真实性检查是一个讨论了很长时间的话题(请参阅 https:/ /github.com/composer/composer/issues/38 ),但到目前为止没有任何结果。
Disclaimer: My answer probably does not get into the finer details, and may present some details too brief or possibly wrong. It is not meant to address every security detail, but rather give a broad overview. The security and authenticity checking of software packages is one topic being in discussion for quite some time (see https://github.com/composer/composer/issues/38 for example), but without any result so far.
这篇关于在生产环境中使用Composer Install的安全问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
