diff --git a/composer.json b/composer.json
index db09b295d9..9371c7d3a9 100644
--- a/composer.json
+++ b/composer.json
@@ -17,7 +17,7 @@
"cakephp/migrations": "^4.0.0",
"cakephp/plugin-installer": "^2.0",
"doctrine/annotations": "^1.12",
- "firebase/php-jwt": "6.1.0",
+ "firebase/php-jwt": "7.0.2",
"josegonzalez/dotenv": "^4.0",
"mobiledetect/mobiledetectlib": "^3.74",
"psr/http-message": "^1.0"
diff --git a/composer.lock b/composer.lock
index d714b8b661..a5f8f5602b 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
- "content-hash": "f6f90698f876f70dc876b8ab25b8b13c",
+ "content-hash": "b9f7dda4f8668f94265bc4e7a6e1fdb8",
"packages": [
{
"name": "cakephp/authentication",
@@ -640,25 +640,31 @@
},
{
"name": "firebase/php-jwt",
- "version": "v6.1.0",
+ "version": "v7.0.2",
"source": {
"type": "git",
"url": "https://github.com/firebase/php-jwt.git",
- "reference": "fbb2967a3a68b07e37678c00c0cf51165051495f"
+ "reference": "5645b43af647b6947daac1d0f659dd1fbe8d3b65"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/firebase/php-jwt/zipball/fbb2967a3a68b07e37678c00c0cf51165051495f",
- "reference": "fbb2967a3a68b07e37678c00c0cf51165051495f",
+ "url": "https://api.github.com/repos/firebase/php-jwt/zipball/5645b43af647b6947daac1d0f659dd1fbe8d3b65",
+ "reference": "5645b43af647b6947daac1d0f659dd1fbe8d3b65",
"shasum": ""
},
"require": {
- "php": "^7.1||^8.0"
+ "php": "^8.0"
},
"require-dev": {
- "phpunit/phpunit": "^7.5||9.5"
+ "guzzlehttp/guzzle": "^7.4",
+ "phpspec/prophecy-phpunit": "^2.0",
+ "phpunit/phpunit": "^9.5",
+ "psr/cache": "^2.0||^3.0",
+ "psr/http-client": "^1.0",
+ "psr/http-factory": "^1.0"
},
"suggest": {
+ "ext-sodium": "Support EdDSA (Ed25519) signatures",
"paragonie/sodium_compat": "Support EdDSA (Ed25519) signatures when libsodium is not present"
},
"type": "library",
@@ -691,9 +697,9 @@
],
"support": {
"issues": "https://github.com/firebase/php-jwt/issues",
- "source": "https://github.com/firebase/php-jwt/tree/v6.1.0"
+ "source": "https://github.com/firebase/php-jwt/tree/v7.0.2"
},
- "time": "2022-03-23T18:26:04+00:00"
+ "time": "2025-12-16T22:17:28+00:00"
},
{
"name": "josegonzalez/dotenv",
diff --git a/plugins/baser-core/composer.json b/plugins/baser-core/composer.json
index b863da0a3e..bd41e76a03 100644
--- a/plugins/baser-core/composer.json
+++ b/plugins/baser-core/composer.json
@@ -12,7 +12,7 @@
"cakephp/migrations": "^4.0.0",
"cakephp/plugin-installer": "^2.0",
"doctrine/annotations": "^1.12",
- "firebase/php-jwt": "6.1.0",
+ "firebase/php-jwt": "7.0.2",
"mobiledetect/mobiledetectlib": "^3.74",
"ext-json": "*",
"baserproject/bc-admin-third": "5.2.2",
diff --git a/plugins/baser-core/config/update/5.2.3/config.php b/plugins/baser-core/config/update/5.2.3/config.php
new file mode 100644
index 0000000000..e39044b476
--- /dev/null
+++ b/plugins/baser-core/config/update/5.2.3/config.php
@@ -0,0 +1,14 @@
+
+ * Copyright (c) NPO baser foundation
+ *
+ * @copyright Copyright (c) NPO baser foundation
+ * @link https://basercms.net baserCMS Project
+ * @since 5.2.3
+ * @license https://basercms.net/license/index.html MIT License
+ */
+
+return [
+ 'updateMessage' => __d('baser_core', 'JWT鍵の脆弱性対応のため、鍵の再生成を行います。'),
+];
diff --git a/plugins/baser-core/config/update/5.2.3/updater.php b/plugins/baser-core/config/update/5.2.3/updater.php
new file mode 100644
index 0000000000..08857b0119
--- /dev/null
+++ b/plugins/baser-core/config/update/5.2.3/updater.php
@@ -0,0 +1,24 @@
+
+ * Copyright (c) NPO baser foundation
+ *
+ * @copyright Copyright (c) NPO baser foundation
+ * @link https://basercms.net baserCMS Project
+ * @since 5.2.3
+ * @license https://basercms.net/license/index.html MIT License
+ */
+
+use BaserCore\Utility\BcApiUtil;
+use BaserCore\Utility\BcUpdateLog;
+
+try {
+ if (BcApiUtil::createJwt()) {
+ BcUpdateLog::set(__d('baser_core', 'JWT鍵の再生成に成功しました。'));
+ } else {
+ BcUpdateLog::set(__d('baser_core', 'JWT鍵の再生成に失敗しました。config フォルダの書き込み権限を確認した上で、次のコマンドを実行してください。 bin/cake create jwt'));
+ }
+} catch (Throwable $e) {
+ BcUpdateLog::set(__d('baser_core', 'JWT鍵の再生成中にエラーが発生しました。config フォルダの書き込み権限を確認した上で、次のコマンドを実行してください。 bin/cake create jwt'));
+ BcUpdateLog::set($e->getMessage());
+}
diff --git a/plugins/baser-core/src/Command/CreateReleaseCommand.php b/plugins/baser-core/src/Command/CreateReleaseCommand.php
index 7a63eee0a9..9e69d280db 100644
--- a/plugins/baser-core/src/Command/CreateReleaseCommand.php
+++ b/plugins/baser-core/src/Command/CreateReleaseCommand.php
@@ -14,6 +14,7 @@
use BaserCore\Utility\BcComposer;
use BaserCore\Utility\BcFile;
use BaserCore\Utility\BcFolder;
+use BaserCore\Utility\BcUtil;
use Cake\Command\Command;
use Cake\Console\Arguments;
use Cake\Console\ConsoleIo;
@@ -77,6 +78,9 @@ public function execute(Arguments $args, ConsoleIo $io)
$io->out(__d('baser_core', '- composer.json / composer.lock をセットアップします。'));
BcComposer::setup('', $packagePath);
+ if(BcUtil::isTest()) {
+ BcComposer::disableBlockInsecure();
+ }
$result = BcComposer::setupComposerForDistribution($version);
if($result['code'] === 0) {
$io->out(__d('baser_core', '- Composer による lock ファイルの更新が完了しました。'));
diff --git a/plugins/baser-core/src/Utility/BcApiUtil.php b/plugins/baser-core/src/Utility/BcApiUtil.php
index 97762f11a7..7cd2e203f1 100644
--- a/plugins/baser-core/src/Utility/BcApiUtil.php
+++ b/plugins/baser-core/src/Utility/BcApiUtil.php
@@ -69,7 +69,7 @@ public static function createAccessToken(int $userId, string $prefix = 'Api/Admi
*/
public static function createJwt(): bool
{
- $command = "openssl genrsa -out " . CONFIG . "jwt.key 1024 2>&1";
+ $command = "openssl genrsa -out " . CONFIG . "jwt.key 2048 2>&1";
exec($command, $out, $code);
if($code === 0) {
$command = "openssl rsa -in " . CONFIG . "jwt.key -outform PEM -pubout -out " . CONFIG . "jwt.pem 2>&1";
diff --git a/plugins/baser-core/src/Utility/BcComposer.php b/plugins/baser-core/src/Utility/BcComposer.php
index cafc8b91fc..0ef746a4d9 100644
--- a/plugins/baser-core/src/Utility/BcComposer.php
+++ b/plugins/baser-core/src/Utility/BcComposer.php
@@ -312,4 +312,22 @@ public static function deleteReplace()
$file->write($json);
}
+ /**
+ * 脆弱パッケージの導入を禁止を解除する
+ * ユニットテストで過去バージョンのインストールテストがあるため、一時的に解除するのに利用する
+ * @return void
+ * @checked
+ * @noTodo
+ * @unitTest
+ */
+ public static function disableBlockInsecure()
+ {
+ $file = new BcFile(self::$currentDir . 'composer.json');
+ $json = $file->read();
+ $data = json_decode($json, true);
+ $data['config']['audit']['block-insecure'] = false;
+ $json = json_encode($data, JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+ $file->write($json);
+ }
+
}
diff --git a/plugins/baser-core/tests/TestCase/Utility/BcComposerTest.php b/plugins/baser-core/tests/TestCase/Utility/BcComposerTest.php
index a0d1b34a5c..fb958860c2 100644
--- a/plugins/baser-core/tests/TestCase/Utility/BcComposerTest.php
+++ b/plugins/baser-core/tests/TestCase/Utility/BcComposerTest.php
@@ -128,10 +128,12 @@ public function test_require()
$data = $file->read();
$regex = '/("replace": {.+?},)/s';
$data = str_replace('"cakephp/cakephp": "5.0.*"', '"cakephp/cakephp": "5.0.10"', $data);
+ $data = str_replace('"firebase/php-jwt": "7.0.2"', '"firebase/php-jwt": "6.1.0"', $data);
$data = preg_replace($regex, '', $data);
$file->write($data);
BcComposer::setup('php');
BcComposer::deleteReplace();
+ BcComposer::disableBlockInsecure();
BcComposer::update();
// インストール
@@ -190,10 +192,11 @@ public function testUpdate()
$data = $file->read();
$regex = '/("replace": {.+?},)/s';
$data = str_replace('"cakephp/cakephp": "5.0.*"', '"cakephp/cakephp": "5.0.10"', $data);
+ $data = str_replace('"firebase/php-jwt": "7.0.2"', '"firebase/php-jwt": "6.1.0"', $data);
$data = preg_replace($regex, '', $data);
$file->write($data);
BcComposer::setup('php');
-
+ BcComposer::disableBlockInsecure();
$rs = BcComposer::update();
//戻り値を確認
$this->assertEquals(0, $rs['code']);
@@ -265,6 +268,7 @@ public function testSetupComposerForDistribution()
// 実行
BcComposer::setup('', TMP_TESTS);
+ BcComposer::disableBlockInsecure();
BcComposer::setupComposerForDistribution('5.2.0');
$file = new BcFile($composerJson);
$data = $file->read();
@@ -336,6 +340,30 @@ public function testDeleteReplace()
rename($backupPath, $orgPath);
}
+ /**
+ * test disableBlockInsecure
+ * @return void
+ */
+ public function testDisableBlockInsecure()
+ {
+ $orgPath = ROOT . DS . 'composer.json';
+ $backupPath = ROOT . DS . 'composer.json.bak';
+
+ // バックアップ作成
+ copy($orgPath, $backupPath);
+
+ BcComposer::setup();
+ BcComposer::disableBlockInsecure();
+
+ $file = new BcFile($orgPath);
+ $data = json_decode($file->read(), true);
+
+ $this->assertFalse($data['config']['audit']['block-insecure']);
+
+ // バックアップ復元
+ rename($backupPath, $orgPath);
+ }
+
/**
* test execCommand
*/