Skip to content

Commit

Permalink
Merge pull request #3 from magento-commerce/MC-42698
Browse files Browse the repository at this point in the history 
MC-42698: Add vbe's to allow list.
  • Loading branch information
@admanesachin
admanesachin authored Jun 25, 2021
2 parents 2e846ae + f9d9472 commit 4ed9b65
Showing 1 changed file with 40 additions and 21 deletions.
61 changes: 40 additions & 21 deletions src/Plugin.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,20 @@ class Plugin implements PluginInterface, EventSubscriberInterface
*/
private $versionSelector;

/**#@+
* Constant for VBE ALLOW LIST
*/
private const VBE_ALLOW_LIST = [
'vertexinc',
'yotpo',
'klarna',
'amzn',
'dotmailer',
'braintree',
'paypal',
'gene'
];

/**
* Initialize dependencies
* @param Version|null $version
Expand Down Expand Up @@ -113,33 +127,38 @@ public function packageUpdate(PackageEvent $event): void
$privateRepoVersion = '';
$publicRepoVersion = '';
$privateRepoUrl = '';
foreach ($this->composer->getRepositoryManager()->getRepositories() as $repository) {
/** @var RepositoryInterface $repository */
if ($repository instanceof ComposerRepository) {
$found = $this->versionSelector->findBestCandidate($this->composer, $packageName, $repository);
$repoUrl = $repository->getRepoConfig()['url'];

if ($found) {
if (strpos($repoUrl, self::URL_REPO_PACKAGIST) !== false) {
$publicRepoVersion = $found->getFullPrettyVersion();
} else {
$currentPrivateRepoVersion = $found->getFullPrettyVersion();
//private repo version should hold highest version of package
if(empty($privateRepoVersion) || version_compare($currentPrivateRepoVersion, $privateRepoVersion, '>')){
$privateRepoVersion = $currentPrivateRepoVersion;
$privateRepoUrl = $repoUrl;
list($namespace, $project) = explode("/", $packageName);
$isPackageVBE = in_array($namespace, self::VBE_ALLOW_LIST, true);

if(!$isPackageVBE) {

foreach ($this->composer->getRepositoryManager()->getRepositories() as $repository) {

/** @var RepositoryInterface $repository */
if ($repository instanceof ComposerRepository) {
$found = $this->versionSelector->findBestCandidate($this->composer, $packageName, $repository);
$repoUrl = $repository->getRepoConfig()['url'];

if ($found) {
if (strpos($repoUrl, self::URL_REPO_PACKAGIST) !== false) {
$publicRepoVersion = $found->getFullPrettyVersion();
} else {
$currentPrivateRepoVersion = $found->getFullPrettyVersion();
//private repo version should hold highest version of package
if (empty($privateRepoVersion) || version_compare($currentPrivateRepoVersion, $privateRepoVersion, '>')) {
$privateRepoVersion = $currentPrivateRepoVersion;
$privateRepoUrl = $repoUrl;
}
}
}
}
}
}


if ($privateRepoVersion && $publicRepoVersion && (version_compare($publicRepoVersion, $privateRepoVersion, '>'))) {
$exceptionMessage = "Higher matching version {$publicRepoVersion} of {$packageName} was found in public repository packagist.org
if ($privateRepoVersion && $publicRepoVersion && (version_compare($publicRepoVersion, $privateRepoVersion, '>'))) {
$exceptionMessage = "Higher matching version {$publicRepoVersion} of {$packageName} was found in public repository packagist.org
than {$privateRepoVersion} in private {$privateRepoUrl}. Public package might've been taken over by a malicious entity,
please investigate and update package requirement to match the version from the private repository";
throw new Exception($exceptionMessage);
throw new Exception($exceptionMessage);
}
}
}
}

0 comments on commit 4ed9b65

Please sign in to comment.