Problem/Motivation

On #2393339: [META] Make sure Views base fields are using Field API for formatting, and do not lose functionality, we are updating all base entity fields in entity views data so that they are using Field API for formatting rather than using generic Views handlers.

This issue is about two fields on AggregatorItem and AggregatorField that are using a custom 'aggregator_xss' formatter.

Proposed resolution

Change aggregator_item.author and aggregator_feed.description to use the Field API formatter 'field' instead of 'xss' and 'aggregator_xss'. Remove the custom 'aggregator_xss' formatter plugin.

Remaining tasks

Make a patch.

User interface changes

None.

API changes

Not really.

Comments

jhodgdon’s picture

Status: Active » Postponed

As a note, we probably cannot replace these until we have a Field UI formatter that does XSS filtering.

jhodgdon’s picture

Priority: Major » Critical

Elevating to critical, as per parent issue.

jhodgdon’s picture

Status: Postponed » Active

Apparently we should just be able to use 'field'. See comments on #2455153: Switch revision log views fields to use 'field' formatter.

xjm’s picture

Issue tags: +VDC
dawehner’s picture

Its a bit odd, ideally we should be able to just drop that file and all its uses, but for some reason aggregator has its own specialized xss filter.

function aggregator_filter_xss($value) {
  return Xss::filter($value, preg_split('/\s+|<|>/', \Drupal::config('aggregator.settings')->get('items.allowed_html'), -1, PREG_SPLIT_NO_EMPTY));
}

Does anyone know why?

ParisLiakos’s picture

this function is ancient and will be there forever unless this issue is fixed

dawehner’s picture

Thanks a ton @ParisLiakos for your feedback!

berdir’s picture

Yeah that thing is weird. Would have been nice to get rid of it, but not sure we should still try.

We're talking about field access and translatability of feed and feed items. At least by default in core, those two entity types are not translatable and have no data table. And field access on feed/item titles? I challenge you do provide a use case where that would make sense ;)

Should this *really* be a critical release blocker? I'm worried that we use this meta issue to push through all kinds of changes that would otherwise no longer be possible, resulting in more API and database/config changes. 8.0.0 will not be perfect, we have to accept that or it will never happen.

jhodgdon’s picture

If Aggregator has no entity access, then we can ignore it. But I assert that it does. I am not saying it's *useful* but if it uses the entity access system then I don't think Views should be bypassing it?

dawehner’s picture

Well that is the problem, everyone can theoretically swap out the implementation and boom we have a security problem, unless views uses the proper mechanisms,
so I think we have to do it.

berdir’s picture

Well, entity field access is technically possible, my points are...

a) it's the entity label (Drupal's UI's usually fall apart completely if you can't see node titles, taxonomy terms or feed titles but have access to the entity)
b) it's feeds and feed items, I see no practical use of field level access, it's for 99% of the cases aggregation of content that is publicly availalbe elsewhere.
c) The default UI for aggregator.module is still custom code and not provided by views. And that custom code doesn't care about entity field access in any way. So why would supporting it in the views integration be a critical release-blocker?

I'm not against fixing it. And I've been trying to fix #2149845: Convert the description field of the 'aggregator_item' entity to a text field a long, long time ago. But it didn't happen, and IMHO, we have to live with that now. This is similar to the user signature case, it's custom data/formatter handling, we would have to change storage to support this, which be one more thing that breaks existing D8 sites (I do have those, although I'm not using aggregator). Which is fine if it's worth it, my point is that IMHO, in this case, it is not.

jhodgdon’s picture

Exactly, that is why we have this issue.

berdir’s picture

I guess we could convert the custom views field plugins to custom field formatters, that just apply to those specific entity types/fields, but not sure what we gain with that exactly.

Anyway, what I care about is getting D8 out asap, and with as few API changes as possible (and as many as required). That said, I'm not actually using aggregator.module at the moment, so I don't care too much about this specific issue. I tried to make my point, won't continue to argue.

dawehner’s picture

Priority: Critical » Major

c) The default UI for aggregator.module is still custom code and not provided by views. And that custom code doesn't care about entity field access in any way. So why would supporting it in the views integration be a critical release-blocker?

That is a strong point.

Also neither aggregator feed nor aggregator item is translatable, so the other part of the meta doesn't apply here.
I think for this particular field we can indeed move the issue to be "just" major. Does someone strongly disagree?

xjm’s picture

So to this point:

it's feeds and feed items, I see no practical use of field level access, it's for 99% of the cases aggregation of content that is publicly available elsewhere

I've used Feeds in Drupal 6 to import data from a feed on a restricted local network onto a site, which then displayed some of the content on a publicly-accessible intranet, but with restricted access on some fields. If I built a view of that content and my access rules were ignored when they were followed everywhere else, wouldn't that be an information disclosure that merited a private security issue? Obviously my particular scenario wouldn't happen since those were configurable fields, but isn't something similar possible?

It's obviously not critical the way that (say) the user email field was, but at the least, I think we need a big caveat in the Views UI when you add those fields. I'd like a second opinion from a sec team member, but I think if we had that, we could indeed downgrade this or even wontfix it if so desired.

dawehner’s picture

Well, won't fix is certainly the wrong thing, given that it adds value to convert the beside of "just" security.

xjm’s picture

@dawehner clarified in IRC that the edgecase disclosures I describe in #15 would also happen in HEAD with aggregator itself currently, which didn't quite click before. So agreed with this being major.

k4v’s picture

Assigned: Unassigned » k4v
Status: Active » Needs review
StatusFileSize
new3.48 KB
k4v’s picture

Issue tags: +#drupaldevdays
yannickoo’s picture

Issue tags: -#drupaldevdays +drupaldevdays
axe312’s picture

- just wanted to remove the hashtag from the issue tag ... yannickoo was faster -

jhodgdon’s picture

Status: Needs review » Needs work

Huh. I thought we had decided that the generic Field formatter would do enough XSS filtering, so we didn't really need to do anything special like making an Aggregator formatter here? See comment #3 above, which is when the Proposed Resolution was changed to say that we should just use Field.

So I think the plan here is to (a) just use Field, no extra formatter and (b) remove the XSS Views field handler from Aggregator[this patch does that] and then I think we can also (c) remove the aggregator_filter_xss() function that the XSS field handler called (assuming it is not used elsewhere in Core). May need a change notice for that? Or we can leave it around as cruft. ;)

jhodgdon’s picture

Status: Needs work » Reviewed & tested by the community

OK, I talked to @dawehner at DDD and we decided yes we should have a formatter. So I took a look at this patch.

As a note, the aggregator filter function that is called, in turn calls Xss::filter(), which sets the Safe Markup thingy, so we're good. It uses a setting that admins can do to filter out certain tags. This is probably what we want for Aggregator, because this is external text coming from a feed.

@dawehner agrees (he is standing behind me). Let's ship it!

berdir’s picture

Yeah, without #2149845: Convert the description field of the 'aggregator_item' entity to a text field (which would have added a text format in aggregator.module that it would be using), we can't use the default formatters and need a custom one.

alexpott’s picture

Status: Reviewed & tested by the community » Needs review
Issue tags: +Needs tests

Is there any test coverage of this?

jhodgdon’s picture

Status: Needs review » Needs work

It appears to me that \Drupal\aggregator\Tests\Views\IntegrationTest should test several of the fields that use this.

However, it is very suspicious that this test uses a test view:
core/modules/aggregator/tests/modules/aggregator_test_views/test_views/views.view.test_aggregator_items.yml
This view is not updated in this patch, and yet the test does not fail. It is definitely referencing a plugin that is removed in this patch. ???!?

k4v’s picture

StatusFileSize
new5.05 KB
new1.57 KB

I'm not sure, why the test did not fail. I now removed all references to aggregator_xss also from the config.

Test coverage is okay I think, the fields are rendered as before.

k4v’s picture

oops

k4v’s picture

Status: Needs work » Needs review
jhodgdon’s picture

Status: Needs review » Reviewed & tested by the community
Issue tags: -Needs tests

I verified in the test bot output that IntegrationTest is running (38 passes). It definitely tests the XSS functionality for the fields that have been changed. I do not think we need new tests added.

I think the reason we didn't have a fail before, even without the views config changes, is that technically, Views doesn't actually use the plugin_id that is defined in the views config -- it always uses the plugin ID that is defined in the hook_views_data or EntityViewsData. Since there were no schema changes for the plugin change (neither the old or the new one has options on the formatter), there was no complaint about the change.

Anyway, this still looks RTBC.

alexpott’s picture

Status: Reviewed & tested by the community » Fixed

This issue addresses a major bug and is allowed per https://www.drupal.org/core/beta-changes. Committed 5f987ee and pushed to 8.0.x. Thanks!

  • alexpott committed 5f987ee on 8.0.x
    Issue #2455149 by k4v, jhodgdon, dawehner, Berdir: Aggregator xss fields...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.