diff --git a/.gitignore b/.gitignore index fef750b..64a49a9 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .phpunit.cache -/vendor \ No newline at end of file +/vendor +.idea \ No newline at end of file diff --git a/src/Services/Audits/DebugModeAuditService.php b/src/Services/Audits/DebugModeAuditService.php index 2cc953e..69f3c0a 100644 --- a/src/Services/Audits/DebugModeAuditService.php +++ b/src/Services/Audits/DebugModeAuditService.php @@ -32,24 +32,18 @@ public function run(): bool // Only check for development packages if we're actually running in production if ($this->isActuallyProduction()) { - // Check for development packages in composer.json - $composerJson = $this->getComposerJson(); - if ($composerJson) { - $installedPackages = array_merge( - array_keys($composerJson['require'] ?? []), - array_keys($composerJson['require-dev'] ?? []) - ); - - foreach ($this->devPackages as $devPackage) { - if (in_array($devPackage, $installedPackages)) { - $this->addFinding([ - 'package' => $devPackage, - 'title' => 'Development package detected in production', - 'severity' => 'high', - 'cve' => null, - 'affected_versions' => null - ]); - } + // Check for development packages in vendor/composer/installed.json + $installedPackagesNames = $this->getInstalledPackagesNames(); + + foreach ($this->devPackages as $devPackage) { + if (in_array($devPackage, $installedPackagesNames)) { + $this->addFinding([ + 'package' => $devPackage, + 'title' => 'Development package detected in production', + 'severity' => 'high', + 'cve' => null, + 'affected_versions' => null + ]); } } @@ -90,24 +84,31 @@ public function run(): bool return true; } - /** - * @return array|null - */ - private function getComposerJson(): ?array + private function getInstalledPackagesNames(): array + { + $installedPackages = $this->getInstalledPackages(); + + return isset($installedPackages['packages']) + ? array_column($installedPackages['packages'], 'name') + : []; + } + + private function getInstalledPackages(): array { - $composerPath = base_path('composer.json'); - if (!file_exists($composerPath)) { - return null; + $installedPath = base_path('vendor/composer/installed.json'); + + if (!file_exists($installedPath)) { + return []; } - $composerJsonContent = file_get_contents($composerPath); - return json_decode($composerJsonContent, true); + $installedContents = file_get_contents($installedPath); + return json_decode($installedContents, true); } private function hasExposedTestingRoutes(): bool { $routeCollection = \Route::getRoutes(); - + // Check debugbar routes separately as they're allowed when APP_DEBUG is true foreach ($routeCollection as $route) { $uri = $route->uri(); @@ -119,14 +120,14 @@ private function hasExposedTestingRoutes(): bool continue; } - + // Check other testing routes that should never be exposed in production $testingRoutes = [ 'telescope', 'horizon', '_dusk', ]; - + foreach ($testingRoutes as $testingRoute) { if (str_starts_with($uri, $testingRoute)) { return true; @@ -151,7 +152,7 @@ private function hasProtectiveMiddleware($route): bool 'role:', 'Barryvdh\Debugbar\Middleware\DebugbarEnabled' ]; - + foreach ($middleware as $m) { foreach ($protectiveMiddleware as $protect) { if (str_starts_with($m, $protect)) { @@ -159,7 +160,7 @@ private function hasProtectiveMiddleware($route): bool } } } - + return false; }