|
| 1 | +<?php |
| 2 | +/** |
| 3 | + * @author Magebit <info@magebit.com> |
| 4 | + * @copyright Copyright (c) Magebit, Ltd. (https://magebit.com) |
| 5 | + * @license MIT |
| 6 | + */ |
| 7 | +declare(strict_types=1); |
| 8 | + |
| 9 | +namespace Magebit\Mcp\Model\ModuleUpdate; |
| 10 | + |
| 11 | +use Composer\Semver\VersionParser; |
| 12 | +use Magebit\Mcp\Api\LoggerInterface; |
| 13 | +use Magento\Framework\HTTP\Client\Curl; |
| 14 | +use Throwable; |
| 15 | + |
| 16 | +/** |
| 17 | + * Looks up the latest stable release of a package from the Packagist p2 metadata API. |
| 18 | + * |
| 19 | + * Hardened for unattended use: HTTPS-only, no redirects, bounded timeout, capped response. |
| 20 | + * Never throws — every failure path logs and returns null so cron can't be broken by Packagist. |
| 21 | + */ |
| 22 | +class PackagistClient |
| 23 | +{ |
| 24 | + private const ENDPOINT = 'https://repo.packagist.org/p2/%s.json'; |
| 25 | + private const TIMEOUT_SECONDS = 5; |
| 26 | + private const MAX_RESPONSE_BYTES = 1048576; |
| 27 | + |
| 28 | + /** |
| 29 | + * Packagist's own package-name grammar; guards against a tampered composer.json |
| 30 | + * smuggling path traversal or a host into the URL. |
| 31 | + */ |
| 32 | + private const PACKAGE_NAME_PATTERN = '#^[a-z0-9]([_.-]?[a-z0-9]+)*/[a-z0-9](([_.]|-{1,2})?[a-z0-9]+)*$#'; |
| 33 | + |
| 34 | + /** |
| 35 | + * @param Curl $curl |
| 36 | + * @param VersionParser $versionParser |
| 37 | + * @param VersionComparator $versionComparator |
| 38 | + * @param LoggerInterface $logger |
| 39 | + */ |
| 40 | + public function __construct( |
| 41 | + private readonly Curl $curl, |
| 42 | + private readonly VersionParser $versionParser, |
| 43 | + private readonly VersionComparator $versionComparator, |
| 44 | + private readonly LoggerInterface $logger |
| 45 | + ) { |
| 46 | + } |
| 47 | + |
| 48 | + /** |
| 49 | + * Highest stable version published for the package, or null on any failure. |
| 50 | + * |
| 51 | + * @param string $packageName |
| 52 | + * @return ?string |
| 53 | + */ |
| 54 | + public function getLatestStableVersion(string $packageName): ?string |
| 55 | + { |
| 56 | + if (preg_match(self::PACKAGE_NAME_PATTERN, $packageName) !== 1) { |
| 57 | + $this->logger->warning('MCP update check rejected malformed package name.', ['package' => $packageName]); |
| 58 | + return null; |
| 59 | + } |
| 60 | + |
| 61 | + try { |
| 62 | + $body = $this->fetch(sprintf(self::ENDPOINT, $packageName)); |
| 63 | + if ($body === null) { |
| 64 | + return null; |
| 65 | + } |
| 66 | + |
| 67 | + /** @var array<string, mixed> $decoded */ |
| 68 | + $decoded = json_decode($body, true, 512, JSON_THROW_ON_ERROR); |
| 69 | + return $this->highestStableVersion($decoded, $packageName); |
| 70 | + } catch (Throwable $e) { |
| 71 | + $this->logger->warning( |
| 72 | + 'MCP update check failed to query Packagist.', |
| 73 | + ['package' => $packageName, 'exception' => $e] |
| 74 | + ); |
| 75 | + return null; |
| 76 | + } |
| 77 | + } |
| 78 | + |
| 79 | + /** |
| 80 | + * @param string $uri |
| 81 | + * @return ?string Raw response body, or null if the request did not return a usable 200. |
| 82 | + */ |
| 83 | + private function fetch(string $uri): ?string |
| 84 | + { |
| 85 | + $this->curl->setTimeout(self::TIMEOUT_SECONDS); |
| 86 | + $this->curl->setOptions([ |
| 87 | + CURLOPT_CONNECTTIMEOUT => self::TIMEOUT_SECONDS, |
| 88 | + CURLOPT_FOLLOWLOCATION => false, |
| 89 | + CURLOPT_PROTOCOLS => CURLPROTO_HTTPS, |
| 90 | + CURLOPT_REDIR_PROTOCOLS => CURLPROTO_HTTPS, |
| 91 | + CURLOPT_SSL_VERIFYPEER => true, |
| 92 | + CURLOPT_SSL_VERIFYHOST => 2, |
| 93 | + ]); |
| 94 | + |
| 95 | + $this->curl->get($uri); |
| 96 | + |
| 97 | + if ($this->curl->getStatus() !== 200) { |
| 98 | + return null; |
| 99 | + } |
| 100 | + |
| 101 | + $body = $this->curl->getBody(); |
| 102 | + if (strlen($body) > self::MAX_RESPONSE_BYTES) { |
| 103 | + $this->logger->warning('MCP update check ignored oversized Packagist response.', ['uri' => $uri]); |
| 104 | + return null; |
| 105 | + } |
| 106 | + |
| 107 | + return $body; |
| 108 | + } |
| 109 | + |
| 110 | + /** |
| 111 | + * Walks the p2 release list, keeps stable versions, returns the highest. |
| 112 | + * |
| 113 | + * @param array<string, mixed> $decoded |
| 114 | + * @param string $packageName |
| 115 | + * @return ?string |
| 116 | + */ |
| 117 | + private function highestStableVersion(array $decoded, string $packageName): ?string |
| 118 | + { |
| 119 | + $packages = $decoded['packages'] ?? null; |
| 120 | + if (!is_array($packages) || !isset($packages[$packageName]) || !is_array($packages[$packageName])) { |
| 121 | + return null; |
| 122 | + } |
| 123 | + |
| 124 | + $highest = null; |
| 125 | + foreach ($packages[$packageName] as $release) { |
| 126 | + if (!is_array($release)) { |
| 127 | + continue; |
| 128 | + } |
| 129 | + $version = $release['version'] ?? null; |
| 130 | + if (!is_string($version) || $version === '') { |
| 131 | + continue; |
| 132 | + } |
| 133 | + if ($this->versionParser->parseStability($version) !== 'stable') { |
| 134 | + continue; |
| 135 | + } |
| 136 | + if ($highest === null || $this->versionComparator->isNewer($version, $highest)) { |
| 137 | + $highest = $version; |
| 138 | + } |
| 139 | + } |
| 140 | + |
| 141 | + return $highest; |
| 142 | + } |
| 143 | +} |
0 commit comments