PhpStorm project security

Recommendations

A malicious person could compromise a developer machine by uploading a malicious git commit and asking you to review it by opening it in PhpStorm.

Before opening a change in PhpStorm, review it for suspicious files, such as an .idea directory. Review changes to tool configuration, such as composer.json. Dangerous file extensions include ipr, iws, iml and gdsl.

Instead of running composer and code generation tools locally, create a container with a separate network namespace, bind mount your source tree into it, then run the tool in the container. But mount the .git and .idea directories read-only, or hide them from the container by mounting an empty directory at those locations. PhpStorm can be configured to run composer and other tools via SSH.

If your setup does not allow sharing of files with a container, you can write scripts to copy files into the container and back out, or use PhpStorm's deployment feature.

Risk analysis

The PhpStorm documentation on project security lists 7 features which will be disabled if a project is opened in "safe mode preview". From this list we may infer the security risks that come with opening a project in trusted mode. A conversation with PhpStorm support has provided a couple of extra items to add to the list.

Feature	Risk	Mitigation
Startup tasks	A malicious or exploitable startup task in project configuration	Do not use startup tasks Do not open or automatically reject changes with a .idea directory or file extensions .ipr, .iws or .iml
VCS support	Malicious content in .git, for example a hook An attack on non-Git version control detection, for example a .svn directory in a git commit	Use git to download changes for review. Do not open tarballs, zip files, etc. Review changes for suspicious dot files before opening: .svn, .hg, etc.
File Watchers	A malicious or exploitable file watcher task in project configuration	Do not open or automatically reject changes with a .idea directory or file extensions .ipr, .iws or .iml Do not use file watchers
Composer commands	A malicious or exploitable composer script	Composer should be run in an unprivileged container. PhpStorm's composer integration can be configured to run composer via SSH. Beware of escalation from write access to the source tree to arbitrary execution in the host. Write access to the `.git` or `.idea` directories provides escalation via git hooks and malicious project configuration respectively. `composer update` only needs write access to the `vendor` directory. Review changes to composer configuration, tool configuration, ComposerHookHandler and the autoloader before running composer.
Refreshing the versions of the configured PHP command-line tools	?	Do not use command-line tools apart from Composer Do not open or automatically reject changes with a .idea directory or file extensions .ipr, .iws or .iml
Refreshing the versions of the configured PHP test frameworks	?	Do not configure a test framework Do not open or automatically reject changes with a .idea directory or file extensions .ipr, .iws or .iml
PHP code quality tools	Malicious configuration of code quality tools	Run code quality tools in a container via SSH. Review changes to code quality tool configuration before opening the project.
GroovyDSL scripts	PhpStorm could detect and execute `*.gdsl` scripts in the project and its external dependencies.	Do not open or automatically reject changes with `*.gdsl` files