class VendorHardeningPlugin

Same name in other branches
  1. 9 composer/Plugin/VendorHardening/VendorHardeningPlugin.php \Drupal\Composer\Plugin\VendorHardening\VendorHardeningPlugin
  2. 10 composer/Plugin/VendorHardening/VendorHardeningPlugin.php \Drupal\Composer\Plugin\VendorHardening\VendorHardeningPlugin
  3. 11.x composer/Plugin/VendorHardening/VendorHardeningPlugin.php \Drupal\Composer\Plugin\VendorHardening\VendorHardeningPlugin

A Composer plugin to clean out your project's vendor directory.

This plugin will remove directory paths within installed packages. You might use this in order to mitigate the security risks of having your vendor directory within an HTTP server's docroot.

@internal

Hierarchy

  • class \Drupal\Composer\Plugin\VendorHardening\VendorHardeningPlugin implements \Composer\Plugin\PluginInterface, \Composer\EventDispatcher\EventSubscriberInterface

Expanded class hierarchy of VendorHardeningPlugin

See also

https://www.drupal.org/docs/develop/using-composer/using-drupals-vendor…

1 file declares its use of VendorHardeningPlugin
VendorHardeningPluginTest.php in core/tests/Drupal/Tests/Composer/Plugin/VendorHardening/VendorHardeningPluginTest.php

File

composer/Plugin/VendorHardening/VendorHardeningPlugin.php, line 27

Namespace

Drupal\Composer\Plugin\VendorHardening
View source
class VendorHardeningPlugin implements PluginInterface, EventSubscriberInterface {
    
    /**
     * Composer object.
     *
     * @var \Composer\Composer
     */
    protected $composer;
    
    /**
     * IO object.
     *
     * @var \Composer\IO\IOInterface
     */
    protected $io;
    
    /**
     * Configuration.
     *
     * @var \Drupal\Composer\Plugin\VendorHardening\Config
     */
    protected $config;
    
    /**
     * List of projects already cleaned
     *
     * @var string[]
     */
    protected $packagesAlreadyCleaned = [];
    
    /**
     * {@inheritdoc}
     */
    public function activate(Composer $composer, IOInterface $io) {
        $this->composer = $composer;
        $this->io = $io;
        // Set up configuration.
        $this->config = new Config($this->composer
            ->getPackage());
    }
    
    /**
     * {@inheritdoc}
     */
    public function deactivate(Composer $composer, IOInterface $io) {
    }
    
    /**
     * {@inheritdoc}
     */
    public function uninstall(Composer $composer, IOInterface $io) {
    }
    
    /**
     * {@inheritdoc}
     */
    public static function getSubscribedEvents() {
        return [
            ScriptEvents::POST_AUTOLOAD_DUMP => 'onPostAutoloadDump',
            ScriptEvents::POST_UPDATE_CMD => 'onPostCmd',
            ScriptEvents::POST_INSTALL_CMD => 'onPostCmd',
            PackageEvents::PRE_PACKAGE_INSTALL => 'onPrePackageInstall',
            PackageEvents::PRE_PACKAGE_UPDATE => 'onPrePackageUpdate',
            PackageEvents::POST_PACKAGE_INSTALL => 'onPostPackageInstall',
            PackageEvents::POST_PACKAGE_UPDATE => 'onPostPackageUpdate',
        ];
    }
    
    /**
     * POST_AUTOLOAD_DUMP event handler.
     *
     * @param \Composer\Script\Event $event
     *   The Composer event.
     */
    public function onPostAutoloadDump(Event $event) {
        $this->writeAccessRestrictionFiles($this->composer
            ->getConfig()
            ->get('vendor-dir'));
    }
    
    /**
     * POST_UPDATE_CMD and POST_INSTALL_CMD event handler.
     *
     * @param \Composer\Script\Event $event
     *   The Composer event.
     */
    public function onPostCmd(Event $event) {
        $this->cleanAllPackages($this->composer
            ->getConfig()
            ->get('vendor-dir'));
    }
    
    /**
     * PRE_PACKAGE_INSTALL event handler.
     *
     * @param \Composer\Installer\PackageEvent $event
     */
    public function onPrePackageInstall(PackageEvent $event) {
        
        /** @var \Composer\Package\CompletePackage $package */
        $package = $event->getOperation()
            ->getPackage();
        $this->removeBinBeforeCleanup($package);
    }
    
    /**
     * PRE_PACKAGE_UPDATE event handler.
     *
     * @param \Composer\Installer\PackageEvent $event
     */
    public function onPrePackageUpdate(PackageEvent $event) {
        
        /** @var \Composer\Package\CompletePackage $package */
        $package = $event->getOperation()
            ->getTargetPackage();
        $this->removeBinBeforeCleanup($package);
    }
    
    /**
     * POST_PACKAGE_INSTALL event handler.
     *
     * @param \Composer\Installer\PackageEvent $event
     */
    public function onPostPackageInstall(PackageEvent $event) {
        
        /** @var \Composer\Package\CompletePackage $package */
        $package = $event->getOperation()
            ->getPackage();
        $package_name = $package->getName();
        $this->cleanPackage($this->composer
            ->getConfig()
            ->get('vendor-dir'), $package_name);
    }
    
    /**
     * POST_PACKAGE_UPDATE event handler.
     *
     * @param \Composer\Installer\PackageEvent $event
     */
    public function onPostPackageUpdate(PackageEvent $event) {
        
        /** @var \Composer\Package\CompletePackage $package */
        $package = $event->getOperation()
            ->getTargetPackage();
        $package_name = $package->getName();
        $this->cleanPackage($this->composer
            ->getConfig()
            ->get('vendor-dir'), $package_name);
    }
    
    /**
     * Remove bin config for packages that would have the bin file removed.
     *
     * Where the configured bin files are in the directories to be removed, remove
     * the bin config.
     *
     * @param \Composer\Package\BasePackage $package
     *   The package we're cleaning up.
     */
    protected function removeBinBeforeCleanup(BasePackage $package) {
        // We can process AliasPackage and Package objects, and they share the
        // BasePackage parent class. However, since there is no common interface for
        // these package types that allow for the setBinaries() method, and since
        // BasePackage does not include the setBinaries() method, we have to make
        // sure we're processing a class with a setBinaries() method.
        if (!method_exists($package, 'setBinaries')) {
            return;
        }
        $binaries = $package->getBinaries();
        $clean_paths = $this->config
            ->getPathsForPackage($package->getName());
        // Only do this if there are binaries and cleanup paths.
        if (!$binaries || !$clean_paths) {
            return;
        }
        if ($unset_these_binaries = $this->findBinOverlap($binaries, $clean_paths)) {
            $this->io
                ->writeError(sprintf('%sModifying bin config for <info>%s</info> which overlaps with cleanup directories.', str_repeat(' ', 4), $package->getName()), TRUE, IOInterface::VERBOSE);
            $modified_binaries = [];
            foreach ($binaries as $binary) {
                if (!in_array($binary, $unset_these_binaries)) {
                    $modified_binaries[] = $binary;
                }
            }
            $package->setBinaries($modified_binaries);
        }
    }
    
    /**
     * Find bin files which are inside cleanup directories.
     *
     * @param string[] $binaries
     *   'Bin' configuration from the package we're cleaning up.
     * @param string[] $clean_paths
     *   The paths we're cleaning up.
     *
     * @return string[]
     *   Bin files to remove, with the file as both the key and the value.
     */
    protected function findBinOverlap($binaries, $clean_paths) {
        // Make a filesystem model to explore. This is a keyed array that looks like
        // all the places that will be removed by cleanup. 'tests/src' becomes
        // $filesystem['tests']['src'] = TRUE;
        $filesystem = [];
        foreach ($clean_paths as $clean_path) {
            $clean_pieces = explode("/", $clean_path);
            $current =& $filesystem;
            foreach ($clean_pieces as $clean_piece) {
                $current =& $current[$clean_piece];
            }
            $current = TRUE;
        }
        // Explore the filesystem with our bin config.
        $unset_these_binaries = [];
        foreach ($binaries as $binary) {
            $binary_pieces = explode('/', $binary);
            $current =& $filesystem;
            foreach ($binary_pieces as $binary_piece) {
                if (!isset($current[$binary_piece])) {
                    break;
                }
                else {
                    // Value of TRUE means we're at the end of the path.
                    if ($current[$binary_piece] === TRUE) {
                        $unset_these_binaries[$binary] = $binary;
                        break;
                    }
                }
                $current =& $filesystem[$binary_piece];
            }
        }
        return $unset_these_binaries;
    }
    
    /**
     * Gets a list of all installed packages from Composer.
     *
     * @return \Composer\Package\PackageInterface[]
     *   The list of installed packages.
     */
    protected function getInstalledPackages() {
        return $this->composer
            ->getRepositoryManager()
            ->getLocalRepository()
            ->getPackages();
    }
    
    /**
     * Clean all configured packages.
     *
     * This applies in the context of a post-command event.
     *
     * @param string $vendor_dir
     *   Path to vendor directory
     */
    public function cleanAllPackages($vendor_dir) {
        // Get a list of all the packages available after the update or install
        // command.
        $installed_packages = [];
        foreach ($this->getInstalledPackages() as $package) {
            // Normalize package names to lower case.
            $installed_packages[strtolower($package->getName())] = $package;
        }
        // Get all the packages that we should clean up but haven't already.
        $cleanup_packages = array_diff_key($this->config
            ->getAllCleanupPaths(), $this->packagesAlreadyCleaned);
        // Get all the packages that are installed that we should clean up.
        $packages_to_be_cleaned = array_intersect_key($cleanup_packages, $installed_packages);
        if (!$packages_to_be_cleaned) {
            $this->io
                ->writeError('<info>Vendor directory already clean.</info>');
            return;
        }
        $this->io
            ->writeError('<info>Cleaning vendor directory.</info>');
        foreach ($packages_to_be_cleaned as $package_name => $paths_for_package) {
            $this->cleanPathsForPackage($vendor_dir, $package_name, $paths_for_package);
        }
    }
    
    /**
     * Clean a single package.
     *
     * This applies in the context of a package post-install or post-update event.
     *
     * @param string $vendor_dir
     *   Path to vendor directory
     * @param string $package_name
     *   Name of the package to clean
     */
    public function cleanPackage($vendor_dir, $package_name) {
        // Normalize package names to lower case.
        $package_name = strtolower($package_name);
        if (isset($this->packagesAlreadyCleaned[$package_name])) {
            $this->io
                ->writeError(sprintf('%s<info>%s</info> already cleaned.', str_repeat(' ', 4), $package_name), TRUE, IOInterface::VERY_VERBOSE);
            return;
        }
        $paths_for_package = $this->config
            ->getPathsForPackage($package_name);
        if ($paths_for_package) {
            $this->io
                ->writeError(sprintf('%sCleaning: <info>%s</info>', str_repeat(' ', 4), $package_name));
            $this->cleanPathsForPackage($vendor_dir, $package_name, $paths_for_package);
        }
    }
    
    /**
     * Clean the installed directories for a named package.
     *
     * @param string $vendor_dir
     *   Path to vendor directory.
     * @param string $package_name
     *   Name of package to sanitize.
     * @param string $paths_for_package
     *   List of directories in $package_name to remove
     */
    protected function cleanPathsForPackage($vendor_dir, $package_name, $paths_for_package) {
        // Whatever happens here, this package counts as cleaned so that we don't
        // process it more than once.
        $this->packagesAlreadyCleaned[$package_name] = TRUE;
        $package_dir = $vendor_dir . '/' . $package_name;
        if (!is_dir($package_dir)) {
            return;
        }
        $this->io
            ->writeError(sprintf('%sCleaning directories in <comment>%s</comment>', str_repeat(' ', 4), $package_name), TRUE, IOInterface::VERY_VERBOSE);
        $fs = new Filesystem();
        foreach ($paths_for_package as $cleanup_item) {
            $cleanup_path = $package_dir . '/' . $cleanup_item;
            if (!is_dir($cleanup_path)) {
                // If the package has changed or the --prefer-dist version does not
                // include the directory. This is not an error.
                $this->io
                    ->writeError(sprintf("%s<comment>Directory '%s' does not exist.</comment>", str_repeat(' ', 6), $cleanup_path), TRUE, IOInterface::VERY_VERBOSE);
                continue;
            }
            if (!$fs->removeDirectory($cleanup_path)) {
                // Always display a message if this fails as it means something
                // has gone wrong. Therefore the message has to include the
                // package name as the first informational message might not
                // exist.
                $this->io
                    ->writeError(sprintf("%s<error>Failure removing directory '%s'</error> in package <comment>%s</comment>.", str_repeat(' ', 6), $cleanup_item, $package_name), TRUE, IOInterface::NORMAL);
                continue;
            }
            $this->io
                ->writeError(sprintf("%sRemoving directory <info>'%s'</info>", str_repeat(' ', 4), $cleanup_item), TRUE, IOInterface::VERBOSE);
        }
    }
    
    /**
     * Place .htaccess and web.config files into the vendor directory.
     *
     * @param string $vendor_dir
     *   Path to vendor directory.
     */
    public function writeAccessRestrictionFiles($vendor_dir) {
        $this->io
            ->writeError('<info>Hardening vendor directory with .htaccess and web.config files.</info>');
        // Prevent access to vendor directory on Apache servers.
        FileSecurity::writeHtaccess($vendor_dir, TRUE);
        // Prevent access to vendor directory on IIS servers.
        FileSecurity::writeWebConfig($vendor_dir);
    }

}

Members

Title Sort descending Modifiers Object type Summary
VendorHardeningPlugin::$composer protected property Composer object.
VendorHardeningPlugin::$config protected property Configuration.
VendorHardeningPlugin::$io protected property IO object.
VendorHardeningPlugin::$packagesAlreadyCleaned protected property List of projects already cleaned
VendorHardeningPlugin::activate public function
VendorHardeningPlugin::cleanAllPackages public function Clean all configured packages.
VendorHardeningPlugin::cleanPackage public function Clean a single package.
VendorHardeningPlugin::cleanPathsForPackage protected function Clean the installed directories for a named package.
VendorHardeningPlugin::deactivate public function
VendorHardeningPlugin::findBinOverlap protected function Find bin files which are inside cleanup directories.
VendorHardeningPlugin::getInstalledPackages protected function Gets a list of all installed packages from Composer.
VendorHardeningPlugin::getSubscribedEvents public static function
VendorHardeningPlugin::onPostAutoloadDump public function POST_AUTOLOAD_DUMP event handler.
VendorHardeningPlugin::onPostCmd public function POST_UPDATE_CMD and POST_INSTALL_CMD event handler.
VendorHardeningPlugin::onPostPackageInstall public function POST_PACKAGE_INSTALL event handler.
VendorHardeningPlugin::onPostPackageUpdate public function POST_PACKAGE_UPDATE event handler.
VendorHardeningPlugin::onPrePackageInstall public function PRE_PACKAGE_INSTALL event handler.
VendorHardeningPlugin::onPrePackageUpdate public function PRE_PACKAGE_UPDATE event handler.
VendorHardeningPlugin::removeBinBeforeCleanup protected function Remove bin config for packages that would have the bin file removed.
VendorHardeningPlugin::uninstall public function
VendorHardeningPlugin::writeAccessRestrictionFiles public function Place .htaccess and web.config files into the vendor directory.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.