function PluginManager::isPluginAllowed

@internal

3 calls to PluginManager::isPluginAllowed()

PluginManager::addPlugin in vendor/composer/composer/src/Composer/Plugin/PluginManager.php

Adds a plugin, activates it and registers it with the event dispatcher

PluginManager::loadRepository in vendor/composer/composer/src/Composer/Plugin/PluginManager.php

Load all plugins and installers from a repository

PluginManager::registerPackage in vendor/composer/composer/src/Composer/Plugin/PluginManager.php

Register a plugin package, activate it etc.

File

vendor/composer/composer/src/Composer/Plugin/PluginManager.php, line 693

Class

PluginManager

Plugin manager

Namespace

Composer\Plugin

Code

public function isPluginAllowed(string $package, bool $isGlobalPlugin, bool $optional = false, bool $prompt = true) : bool {
    if ($isGlobalPlugin) {
        $rules =& $this->allowGlobalPluginRules;
    }
    else {
        $rules =& $this->allowPluginRules;
    }
    // This is a BC mode for lock files created pre-Composer-2.2 where the expectation of
    // an allow-plugins config being present cannot be made.
    if ($rules === null) {
        if (!$this->io
            ->isInteractive()) {
            $this->io
                ->writeError('<warning>For additional security you should declare the allow-plugins config with a list of packages names that are allowed to run code. See https://getcomposer.org/allow-plugins</warning>');
            $this->io
                ->writeError('<warning>This warning will become an exception once you run composer update!</warning>');
            $rules = [
                '{}' => true,
            ];
            // if no config is defined we allow all plugins for BC
            return true;
        }
        // keep going and prompt the user
        $rules = [];
    }
    foreach ($rules as $pattern => $allow) {
        if (Preg::isMatch($pattern, $package)) {
            return $allow === true;
        }
    }
    if ($package === 'composer/package-versions-deprecated') {
        return false;
    }
    if ($this->io
        ->isInteractive() && $prompt) {
        $composer = $isGlobalPlugin && $this->globalComposer !== null ? $this->globalComposer : $this->composer;
        $this->io
            ->writeError('<warning>' . $package . ($isGlobalPlugin || $this->runningInGlobalDir ? ' (installed globally)' : '') . ' contains a Composer plugin which is currently not in your allow-plugins config. See https://getcomposer.org/allow-plugins</warning>');
        $attempts = 0;
        while (true) {
            // do not allow more than 5 prints of the help message, at some point assume the
            // input is not interactive and bail defaulting to a disabled plugin
            $default = '?';
            if ($attempts > 5) {
                $this->io
                    ->writeError('Too many failed prompts, aborting.');
                break;
            }
            switch ($answer = $this->io
                ->ask('Do you trust "<fg=green;options=bold>' . $package . '</>" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [<comment>y,n,d,?</comment>] ', $default)) {
                case 'y':
                case 'n':
                case 'd':
                    $allow = $answer === 'y';
                    // persist answer in current rules to avoid prompting again if the package gets reloaded
                    $rules[BasePackage::packageNameToRegexp($package)] = $allow;
                    // persist answer in composer.json if it wasn't simply discarded
                    if ($answer === 'y' || $answer === 'n') {
                        $allowPlugins = $composer->getConfig()
                            ->get('allow-plugins');
                        if (is_array($allowPlugins)) {
                            $allowPlugins[$package] = $allow;
                            if ($composer->getConfig()
                                ->get('sort-packages')) {
                                ksort($allowPlugins);
                            }
                            $composer->getConfig()
                                ->getConfigSource()
                                ->addConfigSetting('allow-plugins', $allowPlugins);
                            $composer->getConfig()
                                ->merge([
                                'config' => [
                                    'allow-plugins' => $allowPlugins,
                                ],
                            ]);
                        }
                    }
                    return $allow;
                case '?':
                default:
                    $attempts++;
                    $this->io
                        ->writeError([
                        'y - add package to allow-plugins in composer.json and let it run immediately',
                        'n - add package (as disallowed) to allow-plugins in composer.json to suppress further prompts',
                        'd - discard this, do not change composer.json and do not allow the plugin to run',
                        '? - print help',
                    ]);
                    break;
            }
        }
    }
    elseif ($optional) {
        return false;
    }
    throw new PluginBlockedException($package . ($isGlobalPlugin || $this->runningInGlobalDir ? ' (installed globally)' : '') . ' contains a Composer plugin which is blocked by your allow-plugins config. You may add it to the list if you consider it safe.' . PHP_EOL . 'You can run "composer ' . ($isGlobalPlugin || $this->runningInGlobalDir ? 'global ' : '') . 'config --no-plugins allow-plugins.' . $package . ' [true|false]" to enable it (true) or disable it explicitly and suppress this exception (false)' . PHP_EOL . 'See https://getcomposer.org/allow-plugins');
}