Jwt を 7.0.2 にアップデート

composer.json

@@ -17,7 +17,7 @@
         "cakephp/migrations": "^4.0.0",
         "cakephp/plugin-installer": "^2.0",
         "doctrine/annotations": "^1.12",
-        "firebase/php-jwt": "6.1.0",
+        "firebase/php-jwt": "7.0.2",
         "josegonzalez/dotenv": "^4.0",
         "mobiledetect/mobiledetectlib": "^3.74",
         "psr/http-message": "^1.0"

plugins/baser-core/composer.json

@@ -12,7 +12,7 @@
         "cakephp/migrations": "^4.0.0",
         "cakephp/plugin-installer": "^2.0",
         "doctrine/annotations": "^1.12",
-        "firebase/php-jwt": "6.1.0",
+        "firebase/php-jwt": "7.0.2",
         "mobiledetect/mobiledetectlib": "^3.74",
         "ext-json": "*",
         "baserproject/bc-admin-third": "5.2.2",

plugins/baser-core/config/update/5.2.3/config.php

@@ -0,0 +1,14 @@
+<?php
+/**
+ * baserCMS :  Based Website Development Project <https://basercms.net>
+ * Copyright (c) NPO baser foundation <https://baserfoundation.org/>
+ *
+ * @copyright     Copyright (c) NPO baser foundation
+ * @link          https://basercms.net baserCMS Project
+ * @since         5.2.3
+ * @license       https://basercms.net/license/index.html MIT License
+ */
+
+return [
+    'updateMessage' => __d('baser_core', 'JWT鍵の脆弱性対応のため、鍵の再生成を行います。'),
+];

plugins/baser-core/config/update/5.2.3/updater.php

@@ -0,0 +1,24 @@
+<?php
+/**
+ * baserCMS :  Based Website Development Project <https://basercms.net>
+ * Copyright (c) NPO baser foundation <https://baserfoundation.org/>
+ *
+ * @copyright     Copyright (c) NPO baser foundation
+ * @link          https://basercms.net baserCMS Project
+ * @since         5.2.3
+ * @license       https://basercms.net/license/index.html MIT License
+ */
+
+use BaserCore\Utility\BcApiUtil;
+use BaserCore\Utility\BcUpdateLog;
+
+try {
+    if (BcApiUtil::createJwt()) {
+        BcUpdateLog::set(__d('baser_core', 'JWT鍵の再生成に成功しました。'));
+    } else {
+        BcUpdateLog::set(__d('baser_core', 'JWT鍵の再生成に失敗しました。config フォルダの書き込み権限を確認した上で、次のコマンドを実行してください。 bin/cake create jwt'));
+    }
+} catch (Throwable $e) {
+    BcUpdateLog::set(__d('baser_core', 'JWT鍵の再生成中にエラーが発生しました。config フォルダの書き込み権限を確認した上で、次のコマンドを実行してください。 bin/cake create jwt'));
+    BcUpdateLog::set($e->getMessage());
+}

plugins/baser-core/src/Command/CreateReleaseCommand.php

@@ -14,6 +14,7 @@
 use BaserCore\Utility\BcComposer;
 use BaserCore\Utility\BcFile;
 use BaserCore\Utility\BcFolder;
+use BaserCore\Utility\BcUtil;
 use Cake\Command\Command;
 use Cake\Console\Arguments;
 use Cake\Console\ConsoleIo;
@@ -77,6 +78,9 @@ public function execute(Arguments $args, ConsoleIo $io)
 
         $io->out(__d('baser_core', '- composer.json / composer.lock をセットアップします。'));
         BcComposer::setup('', $packagePath);
+        if(BcUtil::isTest()) {
+            BcComposer::disableBlockInsecure();
+        }
         $result = BcComposer::setupComposerForDistribution($version);
         if($result['code'] === 0) {
             $io->out(__d('baser_core', '- Composer による lock ファイルの更新が完了しました。'));

plugins/baser-core/src/Utility/BcApiUtil.php

@@ -69,7 +69,7 @@ public static function createAccessToken(int $userId, string $prefix = 'Api/Admi
      */
     public static function createJwt(): bool
     {
-        $command = "openssl genrsa -out " . CONFIG . "jwt.key 1024 2>&1";
+        $command = "openssl genrsa -out " . CONFIG . "jwt.key 2048 2>&1";
         exec($command, $out, $code);
         if($code === 0) {
             $command = "openssl rsa -in " . CONFIG . "jwt.key -outform PEM -pubout -out " . CONFIG . "jwt.pem 2>&1";

plugins/baser-core/src/Utility/BcComposer.php

@@ -312,4 +312,22 @@ public static function deleteReplace()
         $file->write($json);
     }
 
+    /**
+     * 脆弱パッケージの導入を禁止を解除する
+     * ユニットテストで過去バージョンのインストールテストがあるため、一時的に解除するのに利用する
+     * @return void
+     * @checked
+     * @noTodo
+     * @unitTest
+     */
+    public static function disableBlockInsecure()
+    {
+        $file = new BcFile(self::$currentDir . 'composer.json');
+        $json = $file->read();
+        $data = json_decode($json, true);
+        $data['config']['audit']['block-insecure'] = false;
+        $json = json_encode($data, JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+        $file->write($json);
+    }
+
 }

plugins/baser-core/tests/TestCase/Utility/BcComposerTest.php

@@ -128,10 +128,12 @@ public function test_require()
         $data = $file->read();
         $regex = '/("replace": {.+?},)/s';
         $data = str_replace('"cakephp/cakephp": "5.0.*"', '"cakephp/cakephp": "5.0.10"', $data);
+        $data = str_replace('"firebase/php-jwt": "7.0.2"', '"firebase/php-jwt": "6.1.0"', $data);
         $data = preg_replace($regex, '', $data);
         $file->write($data);
         BcComposer::setup('php');
         BcComposer::deleteReplace();
+        BcComposer::disableBlockInsecure();
         BcComposer::update();
 
         // インストール
@@ -190,10 +192,11 @@ public function testUpdate()
         $data = $file->read();
         $regex = '/("replace": {.+?},)/s';
         $data = str_replace('"cakephp/cakephp": "5.0.*"', '"cakephp/cakephp": "5.0.10"', $data);
+        $data = str_replace('"firebase/php-jwt": "7.0.2"', '"firebase/php-jwt": "6.1.0"', $data);
         $data = preg_replace($regex, '', $data);
         $file->write($data);
         BcComposer::setup('php');
-
+        BcComposer::disableBlockInsecure();
         $rs = BcComposer::update();
         //戻り値を確認
         $this->assertEquals(0, $rs['code']);
@@ -265,6 +268,7 @@ public function testSetupComposerForDistribution()
 
         // 実行
         BcComposer::setup('', TMP_TESTS);
+        BcComposer::disableBlockInsecure();
         BcComposer::setupComposerForDistribution('5.2.0');
         $file = new BcFile($composerJson);
         $data = $file->read();
@@ -336,6 +340,30 @@ public function testDeleteReplace()
         rename($backupPath, $orgPath);
     }
 
+    /**
+     * test disableBlockInsecure
+     * @return void
+     */
+    public function testDisableBlockInsecure()
+    {
+        $orgPath = ROOT . DS . 'composer.json';
+        $backupPath = ROOT . DS . 'composer.json.bak';
+
+        // バックアップ作成
+        copy($orgPath, $backupPath);
+
+        BcComposer::setup();
+        BcComposer::disableBlockInsecure();
+
+        $file = new BcFile($orgPath);
+        $data = json_decode($file->read(), true);
+
+        $this->assertFalse($data['config']['audit']['block-insecure']);
+
+        // バックアップ復元
+        rename($backupPath, $orgPath);
+    }
+
     /**
      * test execCommand
      */