Composer.lock accessible via web

Question

Composer.lock accessible via web

Navigation

#1 by (2 votes)

3

Recently I installed the composer in a project of mine, I liked it a lot because it is a great tool, however one of the generator files the composer.lock is accessible by the browser, as I do not understand much about this tool I'm a bit afraid, this file is dangerous to leave accessible via browser for my users?

php composer

asked by anonymous 30.12.2014 / 14:21

1 answer

How to return dynamic list? How to remove a field already added to a 'FormData'?

score 2 · Accepted Answer

The composer.lock files is a generated version of your composer.json file that contains the exact versions of the dependencies that your application is running. It is updated with a composer update and if the file exists when running composer install , instead of downloading the latest versions , it will download the versions of that file in development teams, to know the exact dependencies).

The risk of exposing this file would be for a potential attacker to know exactly what dependencies your project uses and to exploit specific vulnerabilities / bugs in those dependency versions, so it knows where to exploit a security breach.

To avoid such problems, it is a good practice to separate business logic (your classes, connection to database) from files uploaded to the browser ( index.php , css , js , and images) in the root of the webserver.

Frameworks generally have a public or web folder in the project root. This folder is the one that is usually mapped in as the root of the web server, keeping out the framework classes and files as composer.lock . Below is an example of the laravel folder structure:

Inthisexamplewehavethesystemitselfoutsidetherootofthewebserver,intheappfolder.Thebrowserinthiscasewouldonlyseewhatisinsidepublic,whichinthiscaseisthe.jsand.cssfileswiththeindex.phpthatinvokestheframework:

Conclusion

Not only composer.lock , but any file that does not really need to be accessed by the browser should be left out of the web root of your application. Depending on the configuration of your webserver, it is possible for an attacker to download your entire system, and since PHP is not complicated, it would have all of your work going smoothly.