Alex Birsan recently published an article "Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies" , in which he explained how he used language-level package managers like npm (Javascript), pip (Python) and gems (Ruby) to forcing companies to install and run malicious code on their infrastructure.
The problem boils down to the fact that companies refer to internal packages by name, for example
my-internal-package
, and an attacker publishes a package with the same name in the central registry / repository of language packages (for PHP it is packagist.org )
my-internal-package
having a higher version. The companies then installed and ran these malicious packages instead of their internal packages because their package manager was picking a higher version number from the standard package repository instead of the internal repository.
Talking about the solution to this problem for Composer and Packagist on Twitter, Geordie summarized the various measures Composer and Packagist are using to protect companies from this serious problem:
- Composer , ,
my-company/our-internal-pkg
. packagist.org. Packagist.org .my-company/
. packagist.org ( ), ,my-company/dummy-pkg
, , , .my-company/my-internal-package
, «» packagist.org. - Composer 2.0, . , , . packagist.org, . , , , Composer .
- Private Packagist , packagist.org, , , . Private Packagist Composer 1.x , Composer 2.
- Private Packagist packagist.org , Composer. , .
- Composer (lock file) URL . composer install, , . , , .
- With Composer 2, you can exclude the loading of package names or patterns for each repository. So you can be sure that even misspelled packages without a registered prefix on packagist.org will not be able to download from packagist.org by replacing the default configuration in composer.json. This exclusion filter can also be used for additional third-party package repositories.
"repositories": {
"private-repo": {
"url": "https://my-repo.internal"
}
"packagist.org": {
"url": "https://repo.packagist.org",
"exclude": ["myprefix/*"]
}
}
Attacks on the supply chain similar to the ones Alex described are a serious threat to companies and have been highlighted in the news lately, so it's important that your business understands the risks it faces and takes action to mitigate them.
Advertising
Are you looking for a VDS for debugging projects, a server for development and deployment? You are definitely our client :) Daily billing of servers, create your own configuration in a few clicks, anti-DDoS and Windows licenses are already included in the price.
