PhpStorm project security

Recommendations

edit

A malicious person could compromise a developer machine by uploading a malicious git commit and asking you to review it by opening it in PhpStorm.

Before opening a change in PhpStorm, review it for suspicious files, such as an .idea directory. Review changes to tool configuration, such as composer.json. Dangerous file extensions include ipr, iws, iml and gdsl.

Instead of running composer and code generation tools locally, create a container with a separate network namespace, bind mount your source tree into it, then run the tool in the container. But mount the .git and .idea directories read-only, or hide them from the container by mounting an empty directory at those locations. PhpStorm can be configured to run composer and other tools via SSH.

If your setup does not allow sharing of files with a container, you can write scripts to copy files into the container and back out, or use PhpStorm's deployment feature.

Risk analysis

edit

The PhpStorm documentation on project security lists 7 features which will be disabled if a project is opened in "safe mode preview". From this list we may infer the security risks that come with opening a project in trusted mode. A conversation with PhpStorm support has provided a couple of extra items to add to the list.

Feature Risk Mitigation
Startup tasks A malicious or exploitable startup task in project configuration
  • Do not use startup tasks
  • Do not open or automatically reject changes with a .idea directory or file extensions .ipr, .iws or .iml
VCS support
  • Malicious content in .git, for example a hook
  • An attack on non-Git version control detection, for example a .svn directory in a git commit
  • Use git to download changes for review. Do not open tarballs, zip files, etc.
  • Review changes for suspicious dot files before opening: .svn, .hg, etc.
File Watchers A malicious or exploitable file watcher task in project configuration
  • Do not open or automatically reject changes with a .idea directory or file extensions .ipr, .iws or .iml
  • Do not use file watchers
Composer commands A malicious or exploitable composer script Composer should be run in an unprivileged container. PhpStorm's composer integration can be configured to run composer via SSH.

Beware of escalation from write access to the source tree to arbitrary execution in the host. Write access to the .git or .idea directories provides escalation via git hooks and malicious project configuration respectively. composer update only needs write access to the vendor directory.

Review changes to composer configuration, tool configuration, ComposerHookHandler and the autoloader before running composer.

Refreshing the versions of the configured PHP command-line tools ?
  • Do not use command-line tools apart from Composer
  • Do not open or automatically reject changes with a .idea directory or file extensions .ipr, .iws or .iml
Refreshing the versions of the configured PHP test frameworks ?
  • Do not configure a test framework
  • Do not open or automatically reject changes with a .idea directory or file extensions .ipr, .iws or .iml
PHP code quality tools Malicious configuration of code quality tools
  • Run code quality tools in a container via SSH.
  • Review changes to code quality tool configuration before opening the project.
GroovyDSL scripts PhpStorm could detect and execute *.gdsl scripts in the project and its external dependencies. Do not open or automatically reject changes with *.gdsl files