PhpStorm project security
Recommendations
editA malicious person could compromise a developer machine by uploading a malicious git commit and asking you to review it by opening it in PhpStorm.
Before opening a change in PhpStorm, review it for suspicious files, such as an .idea directory. Review changes to tool configuration, such as composer.json. Dangerous file extensions include ipr, iws, iml and gdsl.
Instead of running composer and code generation tools locally, create a container with a separate network namespace, bind mount your source tree into it, then run the tool in the container. But mount the .git and .idea directories read-only, or hide them from the container by mounting an empty directory at those locations. PhpStorm can be configured to run composer and other tools via SSH.
If your setup does not allow sharing of files with a container, you can write scripts to copy files into the container and back out, or use PhpStorm's deployment feature.
Risk analysis
editThe PhpStorm documentation on project security lists 7 features which will be disabled if a project is opened in "safe mode preview". From this list we may infer the security risks that come with opening a project in trusted mode. A conversation with PhpStorm support has provided a couple of extra items to add to the list.
Feature | Risk | Mitigation |
---|---|---|
Startup tasks | A malicious or exploitable startup task in project configuration |
|
VCS support |
|
|
File Watchers | A malicious or exploitable file watcher task in project configuration |
|
Composer commands | A malicious or exploitable composer script | Composer should be run in an unprivileged container. PhpStorm's composer integration can be configured to run composer via SSH.
Beware of escalation from write access to the source tree to arbitrary execution in the host. Write access to the Review changes to composer configuration, tool configuration, ComposerHookHandler and the autoloader before running composer. |
Refreshing the versions of the configured PHP command-line tools | ? |
|
Refreshing the versions of the configured PHP test frameworks | ? |
|
PHP code quality tools | Malicious configuration of code quality tools |
|
GroovyDSL scripts | PhpStorm could detect and execute *.gdsl scripts in the project and its external dependencies. |
Do not open or automatically reject changes with *.gdsl files |