Merge up 1.3.x to 1.4.x for security vulnerability patches

Author: asgrim

.github/workflows/build-assets.yml

@@ -26,6 +26,7 @@ jobs:
         php-versions:
           - '8.1'
     permissions:
+      contents: read
       # id-token:write is required for build provenance attestation.
       id-token: write
       # attestations:write is required for build provenance attestation.
@@ -55,7 +56,7 @@ jobs:
         # unprivileged context, otherwise anyone could send a PR with malicious
         # code, which would store attestation that `php/pie` built the PHAR, and
         # it would look genuine. So this should NOT run for PR builds.
-        if: github.event_name != 'pull_request'
+        if: github.event_name != 'pull_request' && github.event.repository.visibility == 'public'
         uses: actions/attest@v4
         with:
           subject-path: '${{ github.workspace }}/pie.phar'
@@ -80,6 +81,7 @@ jobs:
           - macos-26
 #          - windows-2025 - disabled for now, seems broken
     permissions:
+      contents: read
       # id-token:write is required for build provenance attestation.
       id-token: write
       # attestations:write is required for build provenance attestation.
@@ -156,7 +158,7 @@ jobs:
         # unprivileged context, otherwise anyone could send a PR with malicious
         # code, which would store attestation that `php/pie` built the binaries,
         # and it would look genuine. So this should NOT run for PR builds.
-        if: github.event_name != 'pull_request'
+        if: github.event_name != 'pull_request' && github.event.repository.visibility == 'public'
         uses: actions/attest@v4
         with:
           subject-path: '${{ github.workspace }}/${{ env.PIE_BINARY_OUTPUT }}'

phpstan-baseline.neon

@@ -55,10 +55,10 @@ parameters:
 			path: src/Command/RepositoryRemoveCommand.php
 
 		-
-			message: '#^Parameter \#2 \$content of static method Php\\Pie\\File\\SudoFilePut\:\:contents\(\) expects string, string\|false given\.$#'
+			message: '#^Parameter \#1 \$tag of class Php\\Pie\\SelfManage\\Update\\ReleaseMetadata constructor expects non\-empty\-string, mixed given\.$#'
 			identifier: argument.type
 			count: 1
-			path: src/Command/SelfUpdateCommand.php
+			path: src/Command/SelfVerifyCommand.php
 
 		-
 			message: '#^Cannot cast mixed to string\.$#'
@@ -447,13 +447,13 @@ parameters:
 		-
 			message: '#^Parameter \#1 \$certificate of function openssl_x509_export expects OpenSSLCertificate\|string, OpenSSLCertificate\|false given\.$#'
 			identifier: argument.type
-			count: 2
+			count: 4
 			path: test/unit/SelfManage/Verify/FallbackVerificationUsingOpenSslTest.php
 
 		-
 			message: '#^Parameter \#1 \$csr of function openssl_csr_sign expects OpenSSLCertificateSigningRequest\|string, OpenSSLCertificateSigningRequest\|false given\.$#'
 			identifier: argument.type
-			count: 2
+			count: 4
 			path: test/unit/SelfManage/Verify/FallbackVerificationUsingOpenSslTest.php
 
 		-
@@ -463,43 +463,61 @@ parameters:
 			path: test/unit/SelfManage/Verify/FallbackVerificationUsingOpenSslTest.php
 
 		-
-			message: '#^Parameter \#1 \$string of function trim expects string, array\<string\>\|string given\.$#'
+			message: '#^Parameter \#1 \$string of function strlen expects string, string\|false given\.$#'
 			identifier: argument.type
 			count: 1
 			path: test/unit/SelfManage/Verify/FallbackVerificationUsingOpenSslTest.php
 
+		-
+			message: '#^Parameter \#1 \$string of function trim expects string, array\<string\>\|string given\.$#'
+			identifier: argument.type
+			count: 2
+			path: test/unit/SelfManage/Verify/FallbackVerificationUsingOpenSslTest.php
+
 		-
 			message: '#^Parameter \#2 \$ca_certificate of function openssl_csr_sign expects OpenSSLCertificate\|string\|null, OpenSSLCertificate\|false given\.$#'
 			identifier: argument.type
-			count: 1
+			count: 2
 			path: test/unit/SelfManage/Verify/FallbackVerificationUsingOpenSslTest.php
 
 		-
 			message: '#^Parameter \#2 \$dsseEnvelopePayload of method Php\\PieUnitTest\\SelfManage\\Verify\\FallbackVerificationUsingOpenSslTest\:\:mockAttestationResponse\(\) expects string, string\|false given\.$#'
 			identifier: argument.type
-			count: 3
+			count: 4
 			path: test/unit/SelfManage/Verify/FallbackVerificationUsingOpenSslTest.php
 
 		-
 			message: '#^Parameter \#3 \$private_key of function openssl_csr_sign expects array\|OpenSSLAsymmetricKey\|OpenSSLCertificate\|string, mixed given\.$#'
 			identifier: argument.type
-			count: 2
+			count: 4
 			path: test/unit/SelfManage/Verify/FallbackVerificationUsingOpenSslTest.php
 
 		-
 			message: '#^Parameter \#3 \$private_key of function openssl_sign expects array\|OpenSSLAsymmetricKey\|OpenSSLCertificate\|string, mixed given\.$#'
 			identifier: argument.type
+			count: 2
+			path: test/unit/SelfManage/Verify/FallbackVerificationUsingOpenSslTest.php
+
+		-
+			message: '#^Parameter \#3 \$signature of method Php\\PieUnitTest\\SelfManage\\Verify\\FallbackVerificationUsingOpenSslTest\:\:mockAttestationResponse\(\) expects string, mixed given\.$#'
+			identifier: argument.type
 			count: 1
 			path: test/unit/SelfManage/Verify/FallbackVerificationUsingOpenSslTest.php
 
 		-
 			message: '#^Parameter \#3 \$subject of function str_replace expects array\<string\>\|string, mixed given\.$#'
 			identifier: argument.type
-			count: 1
+			count: 2
 			path: test/unit/SelfManage/Verify/FallbackVerificationUsingOpenSslTest.php
 
 		-
 			message: '#^Parameter \#4 \$body of class Composer\\Util\\Http\\Response constructor expects string\|null, string\|false given\.$#'
 			identifier: argument.type
 			count: 1
 			path: test/unit/SelfManage/Verify/FallbackVerificationUsingOpenSslTest.php
+
+		-
+			message: '#^Parameter \#4 \$pemCertificate of method Php\\PieUnitTest\\SelfManage\\Verify\\FallbackVerificationUsingOpenSslTest\:\:mockAttestationResponse\(\) expects string, mixed given\.$#'
+			identifier: argument.type
+			count: 1
+			path: test/unit/SelfManage/Verify/FallbackVerificationUsingOpenSslTest.php

src/Command/SelfUpdateCommand.php

@@ -6,7 +6,6 @@
 
 use Composer\IO\IOInterface;
 use Composer\IO\NullIO;
-use Composer\Util\HttpDownloader;
 use Php\Pie\ComposerIntegration\PieComposerFactory;
 use Php\Pie\ComposerIntegration\PieComposerRequest;
 use Php\Pie\ComposerIntegration\QuieterConsoleIO;
@@ -116,9 +115,12 @@ public function execute(InputInterface $input, OutputInterface $output): int
             ),
         );
 
-        $httpDownloader        = new HttpDownloader($this->quieterConsoleIo, $composer->getConfig());
-        $fetchLatestPieRelease = new FetchPieReleaseFromGitHub($this->githubApiBaseUrl, $httpDownloader);
-        $verifyPiePhar         = VerifyPieReleaseUsingAttestation::factory();
+        $fetchLatestPieRelease = FetchPieReleaseFromGitHub::factory(
+            $this->quieterConsoleIo,
+            $composer->getConfig(),
+            $this->githubApiBaseUrl,
+        );
+        $verifyPiePhar         = VerifyPieReleaseUsingAttestation::factory($fetchLatestPieRelease);
 
         if ($updateChannel === Channel::Nightly) {
             $latestRelease = new ReleaseMetadata(
@@ -177,12 +179,30 @@ public function execute(InputInterface $input, OutputInterface $output): int
             return Command::FAILURE;
         }
 
+        $pharContents = file_get_contents($pharFilename->filePath);
+
+        if ($pharContents === false) {
+            $this->io->writeError(sprintf('<error>%s Failed to read the downloaded PHAR file %s</error>', Emoji::CROSS, $pharFilename->filePath));
+            unlink($pharFilename->filePath);
+
+            return Command::FAILURE;
+        }
+
+        try {
+            $pharFilename->verifyContent($pharContents);
+        } catch (Throwable) {
+            $this->io->writeError(sprintf('<error>%s PHAR contents changed after verification; aborting self-update</error>', Emoji::CROSS));
+            unlink($pharFilename->filePath);
+
+            return Command::FAILURE;
+        }
+
         $fullPathToSelf = ($this->fullPathToSelf)();
         $this->io->write(
             sprintf('Writing new version to %s', $fullPathToSelf),
             verbosity: IOInterface::VERBOSE,
         );
-        SudoFilePut::contents($fullPathToSelf, file_get_contents($pharFilename->filePath));
+        SudoFilePut::contents($fullPathToSelf, $pharContents);
         unlink($pharFilename->filePath);
 
         $this->io->write(sprintf(

src/Command/SelfVerifyCommand.php

@@ -5,15 +5,22 @@
 namespace Php\Pie\Command;
 
 use Composer\IO\IOInterface;
+use Composer\IO\NullIO;
+use Php\Pie\ComposerIntegration\PieComposerFactory;
+use Php\Pie\ComposerIntegration\PieComposerRequest;
+use Php\Pie\ComposerIntegration\QuieterConsoleIO;
 use Php\Pie\File\BinaryFile;
 use Php\Pie\File\FullPathToSelf;
+use Php\Pie\SelfManage\Update\FetchPieReleaseFromGitHub;
 use Php\Pie\SelfManage\Update\ReleaseMetadata;
 use Php\Pie\SelfManage\Verify\FailedToVerifyRelease;
 use Php\Pie\SelfManage\Verify\VerifyPieReleaseUsingAttestation;
 use Php\Pie\Util\Emoji;
 use Php\Pie\Util\PieVersion;
+use Psr\Container\ContainerInterface;
 use Symfony\Component\Console\Attribute\AsCommand;
 use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputArgument;
 use Symfony\Component\Console\Input\InputInterface;
 use Symfony\Component\Console\Output\OutputInterface;
 
@@ -25,9 +32,15 @@
 )]
 final class SelfVerifyCommand extends Command
 {
+    private const ARGUMENT_VERSION = 'version';
+
+    /** @param non-empty-string $githubApiBaseUrl */
     public function __construct(
+        private readonly string $githubApiBaseUrl,
         private readonly FullPathToSelf $fullPathToSelf,
         private readonly IOInterface $io,
+        private readonly QuieterConsoleIO $quieterConsoleIo,
+        private readonly ContainerInterface $container,
     ) {
         parent::__construct();
     }
@@ -37,6 +50,11 @@ public function configure(): void
         parent::configure();
 
         CommandHelper::configurePhpConfigOptions($this);
+        $this->addArgument(
+            self::ARGUMENT_VERSION,
+            InputArgument::OPTIONAL,
+            'The version of PIE you expect to be running (e.g. 1.4.4 or nightly)',
+        );
     }
 
     public function execute(InputInterface $input, OutputInterface $output): int
@@ -47,15 +65,40 @@ public function execute(InputInterface $input, OutputInterface $output): int
             return Command::FAILURE;
         }
 
-        $latestRelease = new ReleaseMetadata(PieVersion::get(), 'blah');
+        $expectedVersion = $input->getArgument(self::ARGUMENT_VERSION);
+
+        if ($expectedVersion === null) {
+            $expectedVersion = PieVersion::get();
+            $this->io->write(sprintf('<comment>No version specified, verifying against the version this PHAR claims to be (%s).</comment>', $expectedVersion));
+        }
+
+        $targetPlatform = CommandHelper::determineTargetPlatformFromInputs($input, $this->io);
+
+        CommandHelper::applyNoCacheOptionIfSet($input, $this->io);
+
+        $composer = PieComposerFactory::createPieComposer(
+            $this->container,
+            PieComposerRequest::noOperation(
+                new NullIO(),
+                $targetPlatform,
+            ),
+        );
+
+        $fetchLatestPieRelease = FetchPieReleaseFromGitHub::factory(
+            $this->quieterConsoleIo,
+            $composer->getConfig(),
+            $this->githubApiBaseUrl,
+        );
+
+        $latestRelease = new ReleaseMetadata($expectedVersion, 'blah');
         $pharFilename  = BinaryFile::fromFileWithSha256Checksum(($this->fullPathToSelf)());
-        $verifyPiePhar = VerifyPieReleaseUsingAttestation::factory();
+        $verifyPiePhar = VerifyPieReleaseUsingAttestation::factory($fetchLatestPieRelease);
 
         try {
             $verifyPiePhar->verify($latestRelease, $pharFilename, $this->io);
         } catch (FailedToVerifyRelease $failedToVerifyRelease) {
             $this->io->writeError(sprintf(
-                '<error>❌ Failed to verify the pie.phar release %s: %s</error>',
+                '<error>❌ Failed to verify that this PIE binary is the authentic release %s: %s</error>',
                 $latestRelease->tag,
                 $failedToVerifyRelease->getMessage(),
             ));
@@ -64,7 +107,7 @@ public function execute(InputInterface $input, OutputInterface $output): int
         }
 
         $this->io->write(sprintf(
-            '<info>%s You are running an authentic PIE version %s.</info>',
+            '<info>%s This is an authentic PIE release for version %s.</info>',
             Emoji::GREEN_CHECKMARK,
             $latestRelease->tag,
         ));

src/ComposerIntegration/UninstallProcess.php

@@ -28,11 +28,12 @@ public function __invoke(
         PieComposerRequest $composerRequest,
         CompletePackageInterface $composerPackage,
     ): void {
-        $io = $composerRequest->pieOutput;
+        $io             = $composerRequest->pieOutput;
+        $targetPlatform = $composerRequest->targetPlatform;
 
         $piePackage = Package::fromComposerCompletePackage($composerPackage);
 
-        $affectedIniFiles = ($this->removeIniEntry)($piePackage, $composerRequest->targetPlatform, $io);
+        $affectedIniFiles = ($this->removeIniEntry)($piePackage, $targetPlatform, $io);
 
         if (count($affectedIniFiles) === 1) {
             $io->write(
@@ -52,6 +53,6 @@ public function __invoke(
             array_walk($affectedIniFiles, static fn (string $ini) => $io->write(' - ' . $ini));
         }
 
-        $io->write(sprintf('👋 <info>Removed extension:</info> %s', ($this->uninstall)($piePackage)->filePath));
+        $io->write(sprintf('👋 <info>Removed extension:</info> %s', ($this->uninstall)($targetPlatform, $piePackage)->filePath));
     }
 }

src/DependencyResolver/Package.php

@@ -30,6 +30,7 @@
 use function parse_url;
 use function str_contains;
 use function str_starts_with;
+use function strlen;
 use function strtolower;
 
 use const DIRECTORY_SEPARATOR;
@@ -86,7 +87,23 @@ public static function fromComposerCompletePackage(CompletePackageInterface $com
 
         $package->supportZts = $phpExtOptions['support-zts'] ?? true;
         $package->supportNts = $phpExtOptions['support-nts'] ?? true;
-        $package->buildPath  = $phpExtOptions['build-path'] ?? null;
+
+        $buildPath = $phpExtOptions['build-path'] ?? null;
+        if ($buildPath !== null) {
+            if (
+                str_starts_with($buildPath, '/')
+                || str_starts_with($buildPath, '\\')
+                || (strlen($buildPath) > 1 && $buildPath[1] === ':')
+            ) {
+                throw new InvalidArgumentException('php-ext.build-path must be a relative path.');
+            }
+
+            if (str_contains($buildPath, '..')) {
+                throw new InvalidArgumentException('php-ext.build-path cannot contain ".." segments.');
+            }
+        }
+
+        $package->buildPath = $buildPath;
 
         $compatibleOsFamilies   = $phpExtOptions['os-families'] ?? null;
         $incompatibleOsFamilies = $phpExtOptions['os-families-exclude'] ?? null;

src/Downloading/DownloadedPackage.php

@@ -6,6 +6,7 @@
 
 use Php\Pie\DependencyResolver\Package;
 use Php\Pie\Platform\PrePackagedSourceAssetName;
+use RuntimeException;
 
 use function array_map;
 use function array_unique;
@@ -14,7 +15,9 @@
 use function is_string;
 use function pathinfo;
 use function realpath;
+use function sprintf;
 use function str_replace;
+use function str_starts_with;
 
 use const DIRECTORY_SEPARATOR;
 use const PATHINFO_FILENAME;
@@ -71,17 +74,27 @@ private static function overrideSourcePathUsingBuildPath(Package $package, strin
             return $extractedSourcePath;
         }
 
-        $extractedSourcePathWithBuildPath = realpath(
+        $candidate = realpath(
             $extractedSourcePath
             . DIRECTORY_SEPARATOR
             . str_replace('{version}', $package->version(), $package->buildPath()),
         );
 
-        if (! is_string($extractedSourcePathWithBuildPath)) {
+        if (! is_string($candidate)) {
             return $extractedSourcePath;
         }
 
-        return $extractedSourcePathWithBuildPath;
+        $extractedReal = realpath($extractedSourcePath);
+        if ($extractedReal === false || ! str_starts_with($candidate . DIRECTORY_SEPARATOR, $extractedReal . DIRECTORY_SEPARATOR)) {
+            throw new RuntimeException(sprintf(
+                'php-ext.build-path %s resolved to %s, which is outside the extract directory %s',
+                $package->buildPath(),
+                $candidate,
+                $extractedReal,
+            ));
+        }
+
+        return $candidate;
     }
 
     public static function fromPackageAndExtractedPath(Package $package, string $extractedSourcePath): self