From 5419f18952e0939a27e556203fb057451010a0e9 Mon Sep 17 00:00:00 2001 From: ryuring Date: Fri, 20 Feb 2026 07:43:11 +0900 Subject: [PATCH 1/3] Update firebase/php-jwt to 7.0.2 and add migration script --- composer.json | 2 +- composer.lock | 24 ++++++++++++------- plugins/baser-core/composer.json | 2 +- .../baser-core/config/update/5.2.3/config.php | 14 +++++++++++ .../config/update/5.2.3/updater.php | 24 +++++++++++++++++++ plugins/baser-core/src/Utility/BcApiUtil.php | 2 +- 6 files changed, 56 insertions(+), 12 deletions(-) create mode 100644 plugins/baser-core/config/update/5.2.3/config.php create mode 100644 plugins/baser-core/config/update/5.2.3/updater.php diff --git a/composer.json b/composer.json index db09b295d9..9371c7d3a9 100644 --- a/composer.json +++ b/composer.json @@ -17,7 +17,7 @@ "cakephp/migrations": "^4.0.0", "cakephp/plugin-installer": "^2.0", "doctrine/annotations": "^1.12", - "firebase/php-jwt": "6.1.0", + "firebase/php-jwt": "7.0.2", "josegonzalez/dotenv": "^4.0", "mobiledetect/mobiledetectlib": "^3.74", "psr/http-message": "^1.0" diff --git a/composer.lock b/composer.lock index d714b8b661..a5f8f5602b 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "f6f90698f876f70dc876b8ab25b8b13c", + "content-hash": "b9f7dda4f8668f94265bc4e7a6e1fdb8", "packages": [ { "name": "cakephp/authentication", @@ -640,25 +640,31 @@ }, { "name": "firebase/php-jwt", - "version": "v6.1.0", + "version": "v7.0.2", "source": { "type": "git", "url": "https://github.com/firebase/php-jwt.git", - "reference": "fbb2967a3a68b07e37678c00c0cf51165051495f" + "reference": "5645b43af647b6947daac1d0f659dd1fbe8d3b65" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/firebase/php-jwt/zipball/fbb2967a3a68b07e37678c00c0cf51165051495f", - "reference": "fbb2967a3a68b07e37678c00c0cf51165051495f", + "url": "https://api.github.com/repos/firebase/php-jwt/zipball/5645b43af647b6947daac1d0f659dd1fbe8d3b65", + "reference": "5645b43af647b6947daac1d0f659dd1fbe8d3b65", "shasum": "" }, "require": { - "php": "^7.1||^8.0" + "php": "^8.0" }, "require-dev": { - "phpunit/phpunit": "^7.5||9.5" + "guzzlehttp/guzzle": "^7.4", + "phpspec/prophecy-phpunit": "^2.0", + "phpunit/phpunit": "^9.5", + "psr/cache": "^2.0||^3.0", + "psr/http-client": "^1.0", + "psr/http-factory": "^1.0" }, "suggest": { + "ext-sodium": "Support EdDSA (Ed25519) signatures", "paragonie/sodium_compat": "Support EdDSA (Ed25519) signatures when libsodium is not present" }, "type": "library", @@ -691,9 +697,9 @@ ], "support": { "issues": "https://github.com/firebase/php-jwt/issues", - "source": "https://github.com/firebase/php-jwt/tree/v6.1.0" + "source": "https://github.com/firebase/php-jwt/tree/v7.0.2" }, - "time": "2022-03-23T18:26:04+00:00" + "time": "2025-12-16T22:17:28+00:00" }, { "name": "josegonzalez/dotenv", diff --git a/plugins/baser-core/composer.json b/plugins/baser-core/composer.json index b863da0a3e..bd41e76a03 100644 --- a/plugins/baser-core/composer.json +++ b/plugins/baser-core/composer.json @@ -12,7 +12,7 @@ "cakephp/migrations": "^4.0.0", "cakephp/plugin-installer": "^2.0", "doctrine/annotations": "^1.12", - "firebase/php-jwt": "6.1.0", + "firebase/php-jwt": "7.0.2", "mobiledetect/mobiledetectlib": "^3.74", "ext-json": "*", "baserproject/bc-admin-third": "5.2.2", diff --git a/plugins/baser-core/config/update/5.2.3/config.php b/plugins/baser-core/config/update/5.2.3/config.php new file mode 100644 index 0000000000..e39044b476 --- /dev/null +++ b/plugins/baser-core/config/update/5.2.3/config.php @@ -0,0 +1,14 @@ + + * Copyright (c) NPO baser foundation + * + * @copyright Copyright (c) NPO baser foundation + * @link https://basercms.net baserCMS Project + * @since 5.2.3 + * @license https://basercms.net/license/index.html MIT License + */ + +return [ + 'updateMessage' => __d('baser_core', 'JWT鍵の脆弱性対応のため、鍵の再生成を行います。'), +]; diff --git a/plugins/baser-core/config/update/5.2.3/updater.php b/plugins/baser-core/config/update/5.2.3/updater.php new file mode 100644 index 0000000000..08857b0119 --- /dev/null +++ b/plugins/baser-core/config/update/5.2.3/updater.php @@ -0,0 +1,24 @@ + + * Copyright (c) NPO baser foundation + * + * @copyright Copyright (c) NPO baser foundation + * @link https://basercms.net baserCMS Project + * @since 5.2.3 + * @license https://basercms.net/license/index.html MIT License + */ + +use BaserCore\Utility\BcApiUtil; +use BaserCore\Utility\BcUpdateLog; + +try { + if (BcApiUtil::createJwt()) { + BcUpdateLog::set(__d('baser_core', 'JWT鍵の再生成に成功しました。')); + } else { + BcUpdateLog::set(__d('baser_core', 'JWT鍵の再生成に失敗しました。config フォルダの書き込み権限を確認した上で、次のコマンドを実行してください。 bin/cake create jwt')); + } +} catch (Throwable $e) { + BcUpdateLog::set(__d('baser_core', 'JWT鍵の再生成中にエラーが発生しました。config フォルダの書き込み権限を確認した上で、次のコマンドを実行してください。 bin/cake create jwt')); + BcUpdateLog::set($e->getMessage()); +} diff --git a/plugins/baser-core/src/Utility/BcApiUtil.php b/plugins/baser-core/src/Utility/BcApiUtil.php index 97762f11a7..7cd2e203f1 100644 --- a/plugins/baser-core/src/Utility/BcApiUtil.php +++ b/plugins/baser-core/src/Utility/BcApiUtil.php @@ -69,7 +69,7 @@ public static function createAccessToken(int $userId, string $prefix = 'Api/Admi */ public static function createJwt(): bool { - $command = "openssl genrsa -out " . CONFIG . "jwt.key 1024 2>&1"; + $command = "openssl genrsa -out " . CONFIG . "jwt.key 2048 2>&1"; exec($command, $out, $code); if($code === 0) { $command = "openssl rsa -in " . CONFIG . "jwt.key -outform PEM -pubout -out " . CONFIG . "jwt.pem 2>&1"; From 5775ea409345c2d87807208e0385d2fb24a48aa7 Mon Sep 17 00:00:00 2001 From: ryuring Date: Mon, 23 Feb 2026 11:57:53 +0900 Subject: [PATCH 2/3] =?UTF-8?q?firebase/php-jwt=20=E3=81=AE=E3=82=A2?= =?UTF-8?q?=E3=83=83=E3=83=97=E3=83=87=E3=83=BC=E3=83=88=E3=81=AB=E3=82=88?= =?UTF-8?q?=E3=82=8A=E3=83=86=E3=82=B9=E3=83=88=E3=81=8C=E5=A4=B1=E6=95=97?= =?UTF-8?q?=E3=81=99=E3=82=8B=E3=82=88=E3=81=86=E3=81=AB=E3=81=AA=E3=81=A3?= =?UTF-8?q?=E3=81=9F=E3=81=AE=E3=81=A7=E8=AA=BF=E6=95=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../baser-core/src/Command/CreateReleaseCommand.php | 4 ++++ plugins/baser-core/src/Utility/BcComposer.php | 10 ++++++++++ .../tests/TestCase/Utility/BcComposerTest.php | 6 +++++- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/plugins/baser-core/src/Command/CreateReleaseCommand.php b/plugins/baser-core/src/Command/CreateReleaseCommand.php index 7a63eee0a9..9e69d280db 100644 --- a/plugins/baser-core/src/Command/CreateReleaseCommand.php +++ b/plugins/baser-core/src/Command/CreateReleaseCommand.php @@ -14,6 +14,7 @@ use BaserCore\Utility\BcComposer; use BaserCore\Utility\BcFile; use BaserCore\Utility\BcFolder; +use BaserCore\Utility\BcUtil; use Cake\Command\Command; use Cake\Console\Arguments; use Cake\Console\ConsoleIo; @@ -77,6 +78,9 @@ public function execute(Arguments $args, ConsoleIo $io) $io->out(__d('baser_core', '- composer.json / composer.lock をセットアップします。')); BcComposer::setup('', $packagePath); + if(BcUtil::isTest()) { + BcComposer::disableBlockInsecure(); + } $result = BcComposer::setupComposerForDistribution($version); if($result['code'] === 0) { $io->out(__d('baser_core', '- Composer による lock ファイルの更新が完了しました。')); diff --git a/plugins/baser-core/src/Utility/BcComposer.php b/plugins/baser-core/src/Utility/BcComposer.php index cafc8b91fc..e9a44a8909 100644 --- a/plugins/baser-core/src/Utility/BcComposer.php +++ b/plugins/baser-core/src/Utility/BcComposer.php @@ -312,4 +312,14 @@ public static function deleteReplace() $file->write($json); } + public static function disableBlockInsecure() + { + $file = new BcFile(self::$currentDir . 'composer.json'); + $json = $file->read(); + $data = json_decode($json, true); + $data['config']['audit']['block-insecure'] = false; + $json = json_encode($data, JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES); + $file->write($json); + } + } diff --git a/plugins/baser-core/tests/TestCase/Utility/BcComposerTest.php b/plugins/baser-core/tests/TestCase/Utility/BcComposerTest.php index a0d1b34a5c..48848a9b0d 100644 --- a/plugins/baser-core/tests/TestCase/Utility/BcComposerTest.php +++ b/plugins/baser-core/tests/TestCase/Utility/BcComposerTest.php @@ -128,10 +128,12 @@ public function test_require() $data = $file->read(); $regex = '/("replace": {.+?},)/s'; $data = str_replace('"cakephp/cakephp": "5.0.*"', '"cakephp/cakephp": "5.0.10"', $data); + $data = str_replace('"firebase/php-jwt": "7.0.2"', '"firebase/php-jwt": "6.1.0"', $data); $data = preg_replace($regex, '', $data); $file->write($data); BcComposer::setup('php'); BcComposer::deleteReplace(); + BcComposer::disableBlockInsecure(); BcComposer::update(); // インストール @@ -190,10 +192,11 @@ public function testUpdate() $data = $file->read(); $regex = '/("replace": {.+?},)/s'; $data = str_replace('"cakephp/cakephp": "5.0.*"', '"cakephp/cakephp": "5.0.10"', $data); + $data = str_replace('"firebase/php-jwt": "7.0.2"', '"firebase/php-jwt": "6.1.0"', $data); $data = preg_replace($regex, '', $data); $file->write($data); BcComposer::setup('php'); - + BcComposer::disableBlockInsecure(); $rs = BcComposer::update(); //戻り値を確認 $this->assertEquals(0, $rs['code']); @@ -265,6 +268,7 @@ public function testSetupComposerForDistribution() // 実行 BcComposer::setup('', TMP_TESTS); + BcComposer::disableBlockInsecure(); BcComposer::setupComposerForDistribution('5.2.0'); $file = new BcFile($composerJson); $data = $file->read(); From fe0acd55645469419ea4d738953bc9519f21065e Mon Sep 17 00:00:00 2001 From: ryuring Date: Mon, 23 Feb 2026 12:04:53 +0900 Subject: [PATCH 3/3] =?UTF-8?q?BcComposer::disableBlockInsecure()=20?= =?UTF-8?q?=E3=81=AE=E3=83=A6=E3=83=8B=E3=83=83=E3=83=88=E3=83=86=E3=82=B9?= =?UTF-8?q?=E3=83=88=E3=82=92=E8=BF=BD=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- plugins/baser-core/src/Utility/BcComposer.php | 8 +++++++ .../tests/TestCase/Utility/BcComposerTest.php | 24 +++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/plugins/baser-core/src/Utility/BcComposer.php b/plugins/baser-core/src/Utility/BcComposer.php index e9a44a8909..0ef746a4d9 100644 --- a/plugins/baser-core/src/Utility/BcComposer.php +++ b/plugins/baser-core/src/Utility/BcComposer.php @@ -312,6 +312,14 @@ public static function deleteReplace() $file->write($json); } + /** + * 脆弱パッケージの導入を禁止を解除する + * ユニットテストで過去バージョンのインストールテストがあるため、一時的に解除するのに利用する + * @return void + * @checked + * @noTodo + * @unitTest + */ public static function disableBlockInsecure() { $file = new BcFile(self::$currentDir . 'composer.json'); diff --git a/plugins/baser-core/tests/TestCase/Utility/BcComposerTest.php b/plugins/baser-core/tests/TestCase/Utility/BcComposerTest.php index 48848a9b0d..fb958860c2 100644 --- a/plugins/baser-core/tests/TestCase/Utility/BcComposerTest.php +++ b/plugins/baser-core/tests/TestCase/Utility/BcComposerTest.php @@ -340,6 +340,30 @@ public function testDeleteReplace() rename($backupPath, $orgPath); } + /** + * test disableBlockInsecure + * @return void + */ + public function testDisableBlockInsecure() + { + $orgPath = ROOT . DS . 'composer.json'; + $backupPath = ROOT . DS . 'composer.json.bak'; + + // バックアップ作成 + copy($orgPath, $backupPath); + + BcComposer::setup(); + BcComposer::disableBlockInsecure(); + + $file = new BcFile($orgPath); + $data = json_decode($file->read(), true); + + $this->assertFalse($data['config']['audit']['block-insecure']); + + // バックアップ復元 + rename($backupPath, $orgPath); + } + /** * test execCommand */