php-cs-fixer malware detected?
leonardoburchi opened this issue · 1 comments
Hello,
we are using some of your module in our php web site that use YII2 and we are getting some warning from antivirus regarding php-cs-fixer file contained in more than one project under tools folder.
It is detected as generic malware or from virustotal website as VEX.Webshell. Are you sure it is safe?
Thank you!
The anti-virus / anti-malware you use and which reports an issue with php-cs-fixer does not have any knowledge on what PHP-CS-Fixer is or does. It is a development tool. As such, it might contain PHP code that matches malware patterns, which is what your anti-virus / anti-malware detects. But it cannot put these patterns into context.
There are code constructs that are harmless when used in a tool such as PHP-CS-Fixer assuming that this tool is only used in a development environment. In a different context, though, for instance on a web server, these code constructs are not harmless. A tool such as PHP-CS-Fixer, which is only required for working on the software but not for its operation, must not be present on a production system.
Have I looked into the php-cs-fixer binary that is in the tools directory of many of my Git repositories here on GitHub and checked whether it contains malware? No. But I know that this binary was published by @keradus. I know this because he signed https://github.com/FriendsOfPHP/PHP-CS-Fixer/releases/download/v2.16.4/php-cs-fixer.phar with his his GPG key E82B2FB314E9906E. This signature is published alongside the PHAR at https://github.com/FriendsOfPHP/PHP-CS-Fixer/releases/download/v2.16.4/php-cs-fixer.phar.asc. I use Phive to manage the PHP archives (PHARs) of the tools I use for the development of my projects. This means that a PHAR's SHA1, SHA256 or SHA512 hash is automatically verified as well as its OpenPGP/GnuPG signature when I install and/or update it.
Having written all that, though, I now wonder why you even have the tools directory on your system. In all my repositories where I have a tools directory it is configured /tools export-ignore in .gitattributes. This means that it is not distributed as part of the archive that is downloaded by Composer, for instance. So you are either using outdated versions (which did not yet have /tools export-ignore in .gitattributes) or you are using development versions from Git (where/tools export-ignore in .gitattributes has no effect).
If you do not want to have a tools folder with php-cs-fixer, for instance, then you either need to update PHPUnit and its dependencies to a recent version (where /tools export-ignore is in .gitattributes) or stop using development versions of PHPUnit.