AI Security Review
scanned 5h ago · by lpm-firewall-aiAutomatic installation downloads and extracts a remote platform-specific PHP executable without verifying its integrity. Later runtime execution trusts the extracted binary.
Decision evidence
public snapshot- `scripts/postinstall.js` runs automatically after install and downloads a platform PHP archive from `https://dl.static-php.dev/static-php-cli/common/...`.
- The lifecycle script writes the remote archive under the OS temp directory, extracts it into `runtime/php-bin/<platform>/`, and marks the resulting PHP executable runnable.
- No checksum, signature, pinned digest, or other integrity verification is applied before the downloaded executable is trusted.
- `runtime/main.js` later selects `runtime/php-bin/.../php` and executes it for `php-app run`.
- `package.json` contains no preinstall hook; its only lifecycle hook is the visible `postinstall` downloader.
- Observed network endpoints are the static PHP host, npm registry update lookup, and loopback control/runtime servers; no credential collection or third-party exfiltration appears in inspected source.
- `runtime/main.js` binds control and PHP servers to `127.0.0.1` and protects bridge requests with random tokens.
- `bin/php-app.js` child-process calls implement explicit CLI `run`, `build`, `doctor`, and `update` functions.
Source & flagged code
9 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references dynamic require/import behavior.
bin/php-app.jsView on unpkg · L2A single source file combines environment access, network access, and code or shell execution; review context before blocking.
runtime/main.jsView on unpkg · L130Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
runtime/main.jsView on unpkg · L131Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
scripts/postinstall.jsView on unpkg · L4Install-named source file stages remote content through filesystem writes and execution.
scripts/postinstall.jsView on unpkg · L4Package ships non-JavaScript build or shell helper files.
bin/fetch-php.shView on unpkg