Update dependency composer/composer to v2.2.24 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
composer/composer (source)	2.1.9 -> 2.2.24

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2022-24828

The Composer method VcsDriver::getFileContent() with user-controlled $file or $identifier arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used.

This led to a vulnerability on Packagist.org and Private Packagist, i.e., using the composer.json readme field as a vector for injecting parameters into the $file argument for the Mercurial driver or via the $identifier argument for the Git and Mercurial drivers.

Composer itself can be attacked through branch names by anyone controlling a Git or Mercurial repository, which is explicitly listed by URL in a project's composer.json.

To the best of our knowledge, this was not actively exploited. The vulnerability has been patched on Packagist.org and Private Packagist within a day of the vulnerability report.

CVE-2023-43655

Impact

Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has register_argc_argv enabled in php.ini.

Patches

2.6.4, 2.2.22 and 1.10.27 patch this vulnerability.

Workarounds

Make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.

CVE-2024-24821

Impact

Several files within the local working directory are included during the invocation of Composer and in the context of the executing user.

As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files.

All Composer CLI commands are affected, including composer.phar's self-update.

The following are of high risk:

• Composer being run with sudo.
• Pipelines which may execute Composer on untrusted projects.
• Shared environments with developers who run Composer individually on the same project.

Patches

2.7.0, 2.2.23

Workarounds

• It is advised that the patched versions are applied at the earliest convenience.

Where not possible, the following should be addressed:

• Remove all sudo composer privileges for all users to mitigate root privilege escalation.
• Avoid running Composer within an untrusted directory, or if needed, verify that the contents of vendor/composer/InstalledVersions.php and vendor/composer/installed.php do not include untrusted code.

A reset can also be done on these files by the following:

rm vendor/composer/installed.php vendor/composer/InstalledVersions.php
composer install --no-scripts --no-plugins

CVE-2024-35242

Impact

The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.

Patches

2.2.24 for 2.2 LTS or 2.7.7 for mainline

Workarounds

Avoid cloning potentially compromised repositories.

CVE-2024-35241

Impact

The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.

Patches

2.2.24 for 2.2 LTS or 2.7.7 for mainline

Workarounds

Avoid installing dependencies via git by using --prefer-dist or the preferred-install: dist config setting.

---

Release Notes

composer/composer (composer/composer)

v2.2.24

Compare Source

This release includes fixes for issues found in a security audit by Cure53 funded by Alpha-Omega.

• Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
• Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
• Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b958)
• Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67)
• Security: Fixed perforce argument escaping (3773f77)
• Security: Fixed handling of zip bombs when extracting archives (de5f7e3)
• Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a74, 04a63b3)

v2.2.23

Compare Source

• Security: Fixed code execution and possible privilege escalation via compromised vendor dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821)

v2.2.22

Compare Source

• Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
  • Fixed authentication issue when downloading several files from private Bitbucket in parallel (#​11464)
  • Fixed handling of broken junctions on windows (#​11550)
  • Fixed loading of root aliases on path repo packages when doing partial updates (#​11632)
  • Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#​11534)
  • Fixed binary proxies not being transparent when included by another PHP process and returning a value (#​11454)
  • Fixed support for plugin classes being marked as readonly (#​11404)
  • Fixed GitHub rate limit reporting (#​11366)
  • Fixed issue displaying solver problems with branch names containing % signs (#​11359)

v2.2.21

Compare Source

• Fixed extra.plugin-optional support in PluginInstaller when doing pre-install checks (#​11326)

v2.2.20

Compare Source

• Added extra.plugin-optional support for allow auto-disabling unknown plugins which are not critical when running non-interactive (#​11315)

v2.2.19

Compare Source

• Fixed URL sanitizer to handle new GitHub personal access tokens format (#​11137)
  • Fixed cache keys to allow _ to avoid conflicts between package names like a-b and a_b (#​11229)
  • Fixed handling of --ignore-platform-req with upper-bound ignores to not apply to conflict rules (#​11037)
  • Fixed handling of COMPOSER_DISCARD_CHANGES when set to 0

v2.2.18

Compare Source

• Fixed COMPOSER_NO_DEV so it also works with require and remove's --update-no-dev (#​10995)
  • Fixed duplicate missing extension warnings being displayed (#​10938)
  • Fixed hg version detection (#​10955)
  • Fixed git cache invalidation issue when a git tag gets created after the cache has loaded a given reference (#​11004)

v2.2.17

Compare Source

• Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target directory is outside of CWD (#​10935)
  • Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if not in allow-plugins, as they are anyway not loaded (#​10928)
  • Fixed pre-install check for allowed plugins not taking --no-plugins into account (#​10925)
  • Fixed support for disable_functions containing disk_free_space (#​10936)
  • Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#​10940)

v2.2.16

Compare Source

• Fixed non-interactive behavior of allow-plugins to throw instead of continue with a warning to avoid broken installs (#​10920)
  • Fixed allow-plugins BC mode to ensure old lock files created pre-2.2 can be installed with only a warning but plugins fully loaded (#​10920)
  • Fixed deprecation notice (#​10921)

v2.2.15

Compare Source

• Fixed support for cache-read-only where the filesystem is not writable (#​10906)
  • Fixed type error when using allow-plugins: true (#​10909)
  • Fixed @​putenv scripts receiving arguments passed to the command (#​10846)
  • Fixed support for spaces in paths with binary proxies on Windows (#​10836)
  • Fixed type error in GitDownloader if branches cannot be listed (#​10888)
  • Fixed RootPackageInterface issue on PHP 5.3.3 (#​10895)

v2.2.14

Compare Source

• Fixed handling of broken symlinks when checking whether a package is still installed (#​6708)
  • Fixed name validation regex in schema causing issues with JS IDEs like VS Code (#​10811)
  • Fixed bin proxies to allow a proxy to include another one safely (#​10823)
  • Fixed gitlab-token JSON schema definition (#​10800)
  • Fixed openssl 3.x version parsing as it is now semver compliant
  • Fixed type error when a json file cannot be read (#​10818)
  • Fixed parsing of multi-line arrays in funding.yml (#​10784)

v2.2.13

Compare Source

• Fixed invalid credentials loop when setting up GitLab token (#​10748)
  • Fixed PHP 8.2 deprecations (#​10766)
  • Fixed lock file changes being output even when the lock file creation is disabled
  • Fixed race condition when multiple requests asking for auth on the same hostname fired concurrently (#​10763)
  • Fixed quoting of commas on Windows (#​10775)
  • Fixed issue installing path repos with a disabled symlink function (#​10786)

v2.2.12

Compare Source

• Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)
  • Fixed curl downloader not retrying when a DNS resolution failure occurs (#​10716)
  • Fixed composer.lock file still being used/read when the lock config option is disabled (#​10726)
  • Fixed validate command checking the lock file even if the lock option is disabled (#​10723)

v2.2.11

Compare Source

• Added missing config.bitbucket-oauth in composer-schema.json
  • Added --2.2 flag to self-update to pin the Composer version to the 2.2 LTS range (#​10682)
  • Updated semver, jsonlint deps for minor fixes
  • Fixed generation of autoload crashing if a package has a broken path (#​10688)
  • Removed dev-master=>dev-main alias from #​10372 as it does not work when reloading from lock file and extracting dev deps (#​10651)

v2.2.10

Compare Source

• Fixed Bitbucket authorization detection due to API changes (#​10657)
  • Fixed validate command warning about dist/source keys if defined (#​10655)
  • Fixed deletion/handling of corrupted 0-bytes zip archives (#​10666)

v2.2.9

Compare Source

• Fixed regression with plugins that modify install path of packages, see docs if you are authoring such a plugin (#​10621)

v2.2.8

Compare Source

• Fixed files autoloading sort order to be fully deterministic (#​10617)
  • Fixed pool optimization pass edge cases (#​10579)
  • Fixed require command failing when self.version is used as constraint (#​10593)
  • Fixed --no-ansi / undecorated output still showing color in repo warnings (#​10601)
  • Performance improvement in pool optimization step (composer/semver#131)

v2.2.7

Compare Source

• Allow installation together with composer/xdebug-handler ^3 (#​10528)
  • Fixed support for packages with no licenses in licenses command output (#​10537)
  • Fixed handling of allow-plugins: false which kept warning (#​10530)
  • Fixed enum parsing in classmap generation when the enum keyword is not lowercased (#​10521)
  • Fixed author parsing in init command requiring an email whereas the schema allows a name only (#​10538)
  • Fixed issues in require command when requiring packages which do not exist (but are provided by something else you require) (#​10541)
  • Performance improvement in pool optimization step (#​10546)

v2.2.6

Compare Source

• BC Break: due to an oversight, the COMPOSER_BIN_DIR env var for binaries added in Composer 2.2.2 had to be renamed to COMPOSER_RUNTIME_BIN_DIR (#​10512)
  • Fixed enum parsing in classmap generation with syntax like enum foo:string without space after : (#​10498)
  • Fixed package search not urlencoding the input (#​10500)
  • Fixed reinstall command not firing pre-install-cmd/post-install-cmd events (#​10514)
  • Fixed edge case in path repositories where a symlink: true option would be ignored on old Windows and old PHP combos (#​10482)
  • Fixed test suite compatibility with latest symfony/console releases (#​10499)
  • Fixed some error reporting edge cases (#​10484, #​10451, #​10493)

v2.2.5

Compare Source

• Disabled composer/package-versions-deprecated by default as it can function using Composer\InstalledVersions at runtime (#​10458)
  • Fixed artifact repositories crashing if a phar file was present in the directory (#​10406)
  • Fixed binary proxy issue on PHP <8 when fseek is used on the proxied binary path (#​10468)
  • Fixed handling of non-string versions in package repositories metadata (#​10470)

v2.2.4

Compare Source

• Fixed handling of process timeout when running async processes during installation
  • Fixed GitLab API handling when projects have a repository disabled (#​10440)
  • Fixed reading of environment variables (e.g. APPDATA) containing unicode characters to workaround a PHP bug on Windows (#​10434)
  • Fixed partial update issues with path repos missing if a path repo is required by a path repo (#​10431)
  • Fixed support for sourcing binaries via the new bin proxies (#​10389)
  • Fixed messaging when GitHub tokens need SSO authorization (#​10432)

v2.2.3

Compare Source

• Fixed issue with PHPUnit and process isolation now including PHPUnit <6.5 (#​10387)
  • Fixed interoperability issue with laminas/laminas-zendframework-bridge and Composer 2.2 (#​10401)
  • Fixed binary proxies for shell scripts to work correctly when they are symlinked (jakzal/phpqa#336)
  • Fixed overly greedy pool optimization in cases where a locked package is not required by anything anymore in a partial update (#​10405)

v2.2.2

Compare Source

• Added COMPOSER_BIN_DIR env var and _composer_bin_dir global containing the path to the bin-dir for binaries. Packages relying on finding the bin dir with $BASH_SOURCES[0] will need to update their binaries (#​10402)
  • Fixed issue when new binary proxies are combined with PHPUnit and process isolation (#​10387)
  • Fixed deprecation warnings when using Symfony 5.4+ and requiring composer/composer itself (#​10404)
  • Fixed UX of plugin warnings (#​10381)

v2.2.1

Compare Source

• Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target directory is outside of CWD (#​10935)
  • Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if not in allow-plugins, as they are anyway not loaded (#​10928)
  • Fixed pre-install check for allowed plugins not taking --no-plugins into account (#​10925)
  • Fixed support for disable_functions containing disk_free_space (#​10936)
  • Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#​10940)

v2.2.0

Compare Source

• Added support for using dev-main as the default path repo package version if no VCS info is available (#​10372)
  • Added --no-scripts as a globally supported flag to all Composer commands to disable scripts execution (#​10371)
  • Fixed self-update failing in some edge cases due to loading plugins (#​10371)
  • Fixed display of conflicts showing the wrong package name in some conditions (#​10355)

v2.1.14

Compare Source

• Fixed invalid release build

v2.1.12

Compare Source

• Fixed issues in proxied binary files relying on FILE / DIR on php <8 (#​10261)
  • Fixed 9999999-dev being shown in some cases by the show command (#​10260)
  • Fixed GitHub Actions output escaping regression on PHP 8.1 (#​10250)

v2.1.11

Compare Source

• Fixed issues in proxied binary files when using declare() on php <8 (#​10249)
  • Fixed GitHub Actions output escaping issues (#​10243)

v2.1.10

Compare Source

• Added type annotations to all classes, which may have an effect on CI/static analysis for people using Composer as a dependency (#​10159)
  • Fixed CurlDownloader requesting gzip encoding even when no gzip support is present (#​10153)
  • Fixed regression in 2.1.6 where the help command was not working for plugin commands (#​10147)
  • Fixed warning showing when an invalid cache dir is configured but unused (#​10125)
  • Fixed require command reverting changes even though dependency resolution succeeded when something fails in scripts for example (#​10118)
  • Fixed require not finding the right package version when some newly required extension is missing from the system (#​10167)
  • Fixed proxied binary file issues, now using output buffering (e1dbd65)
  • Fixed and improved error reporting in several edge cases (#​9804, #​10136, #​10163, #​10224, #​10209)
  • Fixed some more Windows CLI parameter escaping edge cases

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud