Composer uses HTTP for at least self-updates and fetching package descriptions from packagist.org. (Upstream bug: #1074, POC: packagistproxy) This creates vulnerabilities as Composer is integrated into our processes at several levels:
- ExtensionDistributor uses it to build tarballs
- MediaWiki-Vagrant uses it to install extensions
- mediawiki/vendor is maintained by Composer; the results of Composer runs go through manual code review which would probably catch any tampering but still a risk
- Jenkins uses Composer to run tests, might use it for checking out the code in the future (T90303)
To address these vulnerabilities, we need the ability to to restrict requests to HTTPS and check certificates in Composer, and if that can't be made default, we need a global option to enable it, and we need to ensure that option is set in all the above mentioned environments.
See also:
- T105638: RFC: Streamlining Composer usage
- HTTPS patch for Composer (misses the configuration part)
- #4056: disable HTTP connections in Composer