Vendor cleanup fail for twig/twig [#3082145]

Problem/Motivation

In Drupal\Core\Composer\Composer::vendorTestCodeCleanup() we attempt to remove test directories from the vendor directory as security mitigation.

The test directory for twig/twig is listed as test, which is accurate up through 1.42.2: https://github.com/twigphp/Twig/tree/v1.42.2

But then in 1.42.3 it's changed to tests: https://github.com/twigphp/Twig/tree/v1.42.3

This leaves behind the tests for twig/twig after an update.

This same issue is present in 8.8.x's vendor hardening plugin: https://git.drupalcode.org/project/drupal/blob/8.8.x/composer/Plugin/Ven...

Proposed resolution

Add tests to the list of directories to remove, so that we attempt to remove both test and tests.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Comment	File	Size	Author
#10	3082145-10-8.7.x.patch	517 bytes	voleger
#10	8.7.x: PHP 7.1 & MySQL 5.7 26,453 pass
#5	3082145-5.patch	1.21 KB	voleger
#5	8.8.x: PHP 7.1 & MySQL 5.7 27,184 pass
#3	3082145-3-8.8.x.patch	623 bytes	voleger
#3	8.8.x: PHP 7.1 & MySQL 5.7 27,176 pass
#3	3082145-3-8.7.x.patch	517 bytes	voleger
#3	8.7.x: PHP 7.1 & MySQL 5.7 26,440 pass

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

18 September 2019 at 20:01

Mile23 created an issue. See original summary.

Comment #2

Mile23

English

Seattle, WA

CreditAttribution: Mile23 as a volunteer commented 18 September 2019 at 20:41

Issue summary:

View changes

Comment #3

voleger

he/his

Ukrainian

Ukraine, Rivne

CreditAttribution: voleger as a volunteer and at GOLEMS GABB, Drupal Ukraine Community for Drupal Ukraine Community, GOLEMS GABB commented 18 September 2019 at 22:45

Status:

Active

» Needs review

File	Size
3082145-3-8.7.x.patch	517 bytes
8.7.x: PHP 7.1 & MySQL 5.7 26,440 pass
3082145-3-8.8.x.patch	623 bytes
8.8.x: PHP 7.1 & MySQL 5.7 27,176 pass

Here the patches for both branches

Comment #4

Mile23

English

Seattle, WA

CreditAttribution: Mile23 as a volunteer commented 19 September 2019 at 05:51

Version:	8.7.x-dev	» 8.8.x-dev
Status:	Needs review	» Needs work
Issue tags:		+needs backport to 8.7.x

Thanks, @voleger. :-)

Let's just do 8.8.x now and then get a backport, because they're different.

+++ b/core/lib/Drupal/Core/Composer/Composer.php
@@ -90,7 +90,7 @@ class Composer {
+    'twig/twig' => ['doc', 'ext', 'test', 'tests'],

We need this same change in composer/Plugin/VendorHardening/Config.php.

Comment #5

voleger

he/his

Ukrainian

Ukraine, Rivne

CreditAttribution: voleger as a volunteer and at GOLEMS GABB, Drupal Ukraine Community for Drupal Ukraine Community, GOLEMS GABB commented 19 September 2019 at 06:29

Status:

Needs work

» Needs review

File	Size
3082145-5.patch	1.21 KB
8.8.x: PHP 7.1 & MySQL 5.7 27,184 pass

2 files were hidden/shown/deleted

File	Size
3082145-3-8.7.x.patch	517 bytes
8.7.x: PHP 7.1 & MySQL 5.7 26,440 pass
3082145-3-8.8.x.patch	623 bytes
8.8.x: PHP 7.1 & MySQL 5.7 27,176 pass

Sure

Comment #6

Mile23

English

Seattle, WA

CreditAttribution: Mile23 as a volunteer commented 22 September 2019 at 02:14

Status:

Needs review

» Reviewed & tested by the community

LGTM. :-)

Comment #7

Mile23

English

Seattle, WA

CreditAttribution: Mile23 as a volunteer commented 22 September 2019 at 02:32

Title:

Test directories left behind for twig/twig

» Vendor cleanup fail for twig/twig

Updated title to be clearer.

Comment #8

larowlan

🇦🇺🏝.au GMT+10

CreditAttribution: larowlan at PreviousNext commented 22 September 2019 at 22:20

Version:	8.8.x-dev	» 8.7.x-dev
Status:	Reviewed & tested by the community	» Patch (to be ported)

Committed 69fc0df and pushed to 8.8.x. Thanks!

Comment #9

22 September 2019 at 22:21

larowlan committed 69fc0df on 8.8.x

Issue #3082145 by voleger, Mile23: Vendor cleanup fail for twig/twig

Comment #10

voleger

he/his

Ukrainian

Ukraine, Rivne

CreditAttribution: voleger as a volunteer and at GOLEMS GABB, Drupal Ukraine Community for Drupal Ukraine Community, GOLEMS GABB commented 24 September 2019 at 11:28

Status:	Patch (to be ported)	» Needs review
Issue tags:	-needs backport to 8.7.x

File	Size
3082145-10-8.7.x.patch	517 bytes
8.7.x: PHP 7.1 & MySQL 5.7 26,453 pass

1 file was hidden/shown/deleted

File	Size
3082145-5.patch	1.21 KB
8.8.x: PHP 7.1 & MySQL 5.7 27,184 pass

Patch for 8.7.x

Comment #11

Mile23

English

Seattle, WA

CreditAttribution: Mile23 as a volunteer commented 24 September 2019 at 17:50

Status:

Needs review

» Reviewed & tested by the community

LGTM.

Comment #12

larowlan

🇦🇺🏝.au GMT+10

CreditAttribution: larowlan at PreviousNext commented 25 September 2019 at 08:17

Status:

Reviewed & tested by the community

» Fixed

Committed 3f3c757 and pushed to 8.7.x. Thanks!

Comment #13

25 September 2019 at 08:17

larowlan committed 3f3c757 on 8.7.x

Issue #3082145 by voleger, Mile23: Vendor cleanup fail for twig/twig

Comment #14

Mixologic

He/Him/His

English

Portland, OR

CreditAttribution: Mixologic at Drupal Association commented 8 October 2019 at 05:29

Issue tags:

+Composer initiative

Comment #15

22 October 2019 at 05:34

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Vendor cleanup fail for twig/twig

Problem/Motivation

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Comment #11

Comment #12

Comment #13

Comment #14

Comment #15

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community