Closed (fixed)
Project:
Drupal.org security advisory coverage applications
Component:
module
Priority:
Normal
Category:
Task
Assigned:
Reporter:
Created:
6 Apr 2023 at 16:30 UTC
Updated:
12 May 2023 at 08:49 UTC
Jump to comment: Most recent
Comments
Comment #2
vishal.kadamThank you for applying! Reviewers will review the project files, describing what needs to be changed.
Please read Review process for security advisory coverage: What to expect for more details and Security advisory coverage application checklist to understand what reviewers look for. Tips for ensuring a smooth review gives some hints for a smoother review.
To reviewers: Please read How to review security advisory coverage applications, What to cover in an application review, and Drupal.org security advisory coverage application workflow.
While this application is open, only the user who opened the application can make commits to the project used for the application.
Reviewers only describe what needs to be changed; they don't provide patches to fix what reported in a review.
Comment #3
vishal.kadamComment #4
vishal.kadam1. Fix PHPCS issues.
2. FILE: file_rename.info.yml
core_version_requirement: ^8 || ^9 || ^10The Drupal Core versions before 8.7.7 do not recognize the core_version_requirement: key.
Comment #5
granik@vishal.kadam Thanks for your review! I updated the repo, see the last commit please.
Comment #6
granikComment #7
vishal.kadam@granik,
I have reviewed the changes, and they look fine to me.
Let’s wait for other reviewers to take a look and if everything goes fine, you will get the role.
Thanks
Comment #8
klausimanual review:
Not a hard security blocker, but I think sanitizing the file name would be good to rule out any issues there.
Comment #9
granik@klausi, thanks for your review!
File name validation is already implemented here: https://git.drupalcode.org/project/file_rename/-/blob/1.0.x/src/Form/Fil...
I'm not sure that FileUploadHandler should be used, because no new file is uploaded. but an existing file is renamed only.
Just added a config schema. See the last commit please.
Comment #10
granikComment #11
klausiAh great - overlooked that! Then I think only the rest of file name validation is missing like NULL bytes and dots for hidden files. Check SecurityFileUploadEventSubscriber::sanitizeName().
There could also be other event subscribers on the file name security event, so I think it is important to invoke it.
Not sure where Drupal core removes forward slashes and backslashes (or if that is handled by PHP in the upload somehow), but probably makes sense for you to forbid both of them.
Comment #12
granik@klausi, I think your suggestions are quite right. I've just pushed to repo, now the event is dispatched on form validation.
See my commit: https://git.drupalcode.org/project/file_rename/-/commit/13893901cac95bbf...
Thanks for your review!
Comment #13
alvar0hurtad0Hi,
According to EntityFormInterface, the save entity should return an integer value:
but in
Form\FileRenameForm, save() method returns also NULL:Comment #14
granik@alvar0hurtad0, nice catch, thanks! I removed this return statement as it's not needed at all here. Just checked with codesniffer and there are still no warnings.
https://git.drupalcode.org/project/file_rename/-/commit/80cc232e6236c8ff...
Comment #15
alvar0hurtad0Great @granik
Comment #16
avpadernoThank you for your contribution! I am going to update your account.
These are some recommended readings to help with excellent maintainership:
You can find more contributors chatting on the Slack #contribute channel. So, come hang out and stay involved.
Thank you, also, for your patience with the review process.
Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
I thank all the reviewers.
Comment #17
avpadernoComment #18
klausiCongrats granik, happy to see this one approved!