id: composer-config

info:
  name: composer-config-file
  author: Mahendra Purbia (Mah3Sec_)
  severity: info
  tags: config,exposure

requests:
  - method: GET
    path:
      - "{{BaseURL}}/composer.json"
      - "{{BaseURL}}/composer.lock"
      - "{{BaseURL}}/.composer/composer.json"
      - "{{BaseURL}}/vendor/composer/installed.json"

    matchers:
      - type: dsl
        name: composer.lock
        dsl:
          - "contains(body, 'packages') && contains(tolower(all_headers), 'application/octet-stream') && status_code == 200"

      - type: dsl
        name: composer.json
        dsl:
          - "contains(body, 'require') && contains(tolower(all_headers), 'application/json') && status_code == 200"