Closed (fixed)
Project:
Drupal.org security advisory coverage applications
Component:
module
Priority:
Normal
Category:
Task
Assigned:
Unassigned
Reporter:
Created:
14 Oct 2022 at 09:19 UTC
Updated:
3 Mar 2024 at 12:39 UTC
Jump to comment: Most recent
Comments
Comment #2
avpadernoThank you for applying!
Please read Review process for security advisory coverage: What to expect for more details and Security advisory coverage application checklist to understand what reviewers look for. Tips for ensuring a smooth review gives some hints for a smoother review.
The important notes are the following.
phpcs --standard=Drupal,>DrupalPracticeon the project, which alone fixes most of what reviewers would report.To the reviewers
Please read How to review security advisory coverage applications, Application workflow, What to cover in an application review, and Tools to use for reviews.
The important notes are the following.
For new reviewers, I would also suggest to first read In which way the issue queue for coverage applications is different from other project queues.
Comment #3
avpadernoComment #4
avpadernoStrings shown in the user interface must be translated.
Any dependency should be defined as service arguments, in the .services.yml file.
I think that is already done from Drupal core because none of the core modules deletes the values for the configuration objects they use.
Comment #5
avpadernoComment #6
avpadernoComment #7
seeduardo commented@apaderno - many thanks for your comments and assessments, and apologies that it's taken so long to get back to you, but we just wanted to let you know that we are working through the recommendations you made. Hopefully they will all be done soon!
Comment #8
rassoni commentedHello @seeduardo,
Found coding standard issues.
Comment #9
daceej commentedHello @seeduardo!
Can you specify what sets Site Guardian apart from similar modules such as DRD, Vitals, and Monitoring on the product page and/or README?
It looks like the site_guardian_key will be exported as part of the Drupal configuration export. Many modules do this, but you may want to consider explicitly flagging this in the README or on the product page so that site maintainers can take actions as needed. Many site owners prefer to keep config items like this in environment variable or even directly in settings.php as an override.
The access check happening in checkActivationAndSiteGuardianKey() is potentially susceptible to timing attacks. The key comparison should be done using hash_equals() to mitigate.
Finally, you should consider taking advantage of the Flood API. It looks like the module may currently open a site up to a brute force attacks while attempting to guess the key. Limiting the number of failed access checks via the Flood API would be a great way to mitigate that.
BTW - I am the maintainer of the Vitals module, which suffered from the exact same issues I'm flagging here. You can see the protections that vitals uses to address these concerns here.
Comment #10
seeduardo commented@apaderno, @Rassoni, @daceej - thanks to you all for your comments. The Site Guardian team raised tickets for them all and we have now been through the process of making all the changes necessary, please do refer to the SG issue queue as required. I therefore submit this security advisory coverage application for further review here once again, now that the above issues have been addressed. Many thanks in advance!
Comment #11
vinaymahale commentedComment #12
vinaymahale commentedPlease fix the appropriate PHPCS issues especially the error reported by PHPCS:
Comment #13
vinaymahale commentedComment #14
avpadernoComment #15
dunx commentedThanks for the feedback @vinaymahale. We'll address at that one error.
The README.md files having long lines is good not bad, so we won't be making any of those changes obviously.
Comment #16
avpadernoActually, the Drupal coding standards say text lines must not exceed 80 characters, so longer lines is bad, not good.
Also, this is a seeduardo's application and only seeduardo can do commits for the time this application is open, since we are reviewing what seeduardo understands about writing code that follows the coding standards, correctly uses the Drupal API, and does not contain security issues. We do not review what all the project maintainers as team understand about those points.
Comment #17
seeduardo commentedThank you all @vinaymahale, @dunx and @apaderno. The PHPCS issues reported in this thread have now been addressed, as well as others noted by using more stringent set of standards (interesting exercise to compare these).
Comment #18
seeduardo commentedComment #19
vinaymahale commentedComment #20
vinaymahale commentedNo issues found
Changing status to RTBC!
Comment #21
avpaderno/src/Controller/SiteGuardianController.php
Since the module defines itself as installable on Drupal 8 and Drupal 9, it cannot use features available on PHP 7.4.
The documentation comment for methods inherited from a parent class or defined in an interface are different. Container interface. is not a description for a method.
The documentation for the return value is missing.
Instead of building a link markup concatenating strings, the code should use the functions/methods Drupal make available.
src/Form/SiteGuardianForm.php
(Just as a side note) Chaining method calls is possible with the class instance stored in
$settings.Comment #22
avpadernoI am changing priority as per Issue priorities.
Comment #23
seeduardo commentedMany thanks once again @vinaymahale and @apaderno - I have now made changes to the project in line with recommendations, as well as a couple of related/corollary changes.
Comment #24
vishal.kadamFILE: src/Form/SiteGuardianForm.php
FILE: src/Controller/SiteGuardianController.php
FILE: src/Controller/SiteGuardianEndpointsController.php
The documentation comment for constructors is not mandatory anymore, If it is given, the description must be Constructs a new [class name] object. where [class name] includes the class namespace.
Function and method declarations are written on a single line.
Comment #25
seeduardo commentedMany thanks for your comments @vishal.kadam. You will note as at comment #17 here, that PHPCS has been stringently run on the Site Guardian code, and according to stricter standards than normally required. None of the issues you mention have ever come to light that way, and running the sniffer again just now, they still don't. Nevertheless, I agree that the class constructor docblocks you mention are contemporarily extraneous, and not necessary in our case anyway, so I have removed them altogether.
However, I was more confused by your comment that 'Function and method declarations are written on a single line.' Are you still referring to the class constructors from which you pasted code? If so, I'd have to say that the coding standards are more ambiguous on this matter than you are.
For instance, I could stick all the arguments for the SiteGuardianController constructor (as per your second code block example) onto one line, but then PHPCS would indeed throw up an error of exceeding the 80 character limit. The coding standards on function declarations actually don't mention the single line issue you're talking about at all, and whilst it is true that the standards section on line length does nominally permit longer function definitions to exceed 80 characters, it doesn't say they should or have to - it is left to interpretation.
Above, in comment #16 here, @apaderno is far more stringent than this: while Drupal.org's wording states "In general, all lines of code should not be longer than 80 characters.", he instead, in this very project application, writes that "the Drupal coding standards say text lines must not exceed 80 characters, so longer lines is bad, not good" (my emphasis added), which would certainly contradict what I interpret as your somewhat tacit prescription of an exceedingly long class constructor declaration with all its arguments on a single line.
Indeed, you'll note that there are instances in Core itself where function declarations are not just spread across multiple lines but also decidedly more convoluted than mine, for example in the AttributeClassDiscovery plugin, whose constructor declaration (at time of writing) starts at line 45 but runs down to line 49, and it's arguable that perhaps it's best that it does.
For all these reasons, and above all else for what I see as plain old readability's sake, I'm electing to leave any multi-line constructor declarations mentioned in your comments just as they are.
Comment #26
bbu23Hi,
1. I'm not sure why the default configuration is not defined in the
config/installfolder, but instead set in the hook_install. The only value that is dynamic in that hook seems to be "site_guardian_key", which anyways I assume is must be set afterwards by a human.2. src/Form/SiteGuardianForm.php:
The type of the $siteGuardian is "object" instead of "SiteGuardianService" .
3. src/Form/SiteGuardianForm.php:
The ConfigFormBase already implements __construct and create, and your Class overrides both. Construct should call the parent and keep the initial param, and create should return both arguments.
4. src/Controller/SiteGuardianController.php (personal preference, minor)
The "else" statement here is redundant.
Comment #27
klausimanual review:
config schema is missing, see https://www.drupal.org/docs/drupal-apis/configuration-api/configuration-...
Otherwise looks good to me.
Thanks for your contribution, seeduardo!
I updated your account so you can opt into security advisory coverage now.
Here are some recommended readings to help with excellent maintainership:
You can find lots more contributors chatting on Slack or IRC in #drupal-contribute. So, come hang out and stay involved!
Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
Thanks to the dedicated reviewer(s) as well.
Comment #28
avpaderno