Closed (fixed)
Project:
Drupal.org security advisory coverage applications
Component:
module
Priority:
Normal
Category:
Task
Assigned:
Unassigned
Reporter:
Created:
13 May 2025 at 09:34 UTC
Updated:
15 Sep 2025 at 05:54 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #2
avpadernoThank you for applying!
Please read Review process for security advisory coverage: What to expect for more details and Security advisory coverage application checklist to understand what reviewers look for. Tips for ensuring a smooth review gives some hints for a smoother review.
The important notes are the following.
To the reviewers
Please read How to review security advisory coverage applications, Application workflow, What to cover in an application review, and Tools to use for reviews.
The important notes are the following.
For new reviewers, I would also suggest to first read In which way the issue queue for coverage applications is different from other project queues.
Comment #3
avpadernoRemember to change status, when the project is ready for review, as in this queue Active means Don't review yet the project I am using for this application.
Comment #4
kul.pratap commentedComment #5
vishal.kadam1. FILE: ai_readme_generator.info.yml
package: CustomThis line is used by custom modules created for specific sites. It is not a package name used for projects hosted on drupal.org.
2. FILE: src/Form/GenerateReadmeForm.php
The documentation comment for constructors is not mandatory anymore, If it is given, the description must be “Constructs a new [class name] object”, where [class name] includes the class namespace.
Comment #6
kul.pratap commented@vishal.kadam Thank you for the review.
I've made the suggested changes.
Kindly have a look and let me know if anything else needs to be updated.
Thanks
Comment #7
vishal.kadamRest looks fine to me.
Let’s wait for a Code Review Administrator to take a look and if everything goes fine, you will get the role.
Comment #8
avpadernosrc/Form/GenerateReadmeForm.php
The parent class already defines the
$configFactoryand the$messengerproperties which are initialized using the methods the parent class makes available.As per coding standards, the
if()conditions are written on a single line.Comment #9
kul.pratap commented@avpaderno Thank you for the review.
I've made the suggested changes.
Kindly have a look and let me know if anything else needs to be updated.
Thanks.
Comment #10
bigbabertmodules/custom and modules/contrib should not be hardcoded since they can be configured in composer
Comment #11
kul.pratap commented@bigbabert Thanks for the suggestion.
But I think it would become too complex if we had to read the main project composer.json file to determine the custom and the contrib folders.
So I updated the
GenerateReadmeFormandReadmeGeneratorCommandsto use a reliable method for collecting only top-level custom and contrib modules using ExtensionDiscovery.src/Form/GenerateReadmeForm.php
ReadmeGeneratorCommands
Please review the above code. If it's correct, I will update it in the module.
Comment #12
bigbabertHave a look to this API documentation might be helpful is not so complex and you don't have to read from composer installer: https://www.drupal.org/node/2940438
Comment #13
bigbabertI've also tried to install the module with composer in fresh Drupal 11 instance and get following error, don't think that module will not support upcaming versions of openai-php/client:
Comment #14
vishal.kadamThis is not an issue created in a project queue.
Comments in this queue are required to review the project files and report what needs to be changed. We do not debug projects.
Comment #15
bigbabertHi @vishal.kadam,
i assume that test should cover also that the submitted module is installable and compatible with version declared as supported by the module? is not that part of the review?
eg. Works with Drupal: ^10 || ^11
So if module has composer dependencies this also should be managed per compatibility declaration is that right? Also i can not suggest a solution since the locked dependency declaration is on a packagist module out of drupal.org
Please correct me if i'm wrong.
Comment #16
vishal.kadamThe error you shared is related to the overall Composer setup of the project, not an issue with the module itself. The PHP library dependency is correctly defined in the module’s composer.json.
As part of the review, we check that the code follows Drupal standards, uses the Drupal API properly, and is compatible with supported Drupal versions. In this case, everything looks fine from the review side.
Comment #17
bigbaberti don't understand how you can say that there isn't compatibility issue if the module ask for a dependency older than the current one supported in drupal 11 for openai-php/client and also i don't understand how can be judged best practice scan the file system to get drupal module path instead of use drupal API as per comment #12
Comment #18
kul.pratap commented@bigbabert Thank you for your suggestions,
But the ExtensionDiscovery service scans the entire filesystem and returns all available modules—whether enabled or disabled—including core, contributed, and custom modules. This makes it ideal for use cases requiring a comprehensive list of modules. In contrast, extension.list.module (or ModuleExtensionList) only lists currently installed and enabled modules, better suited for runtime logic such as plugin management or routing requiring active modules.
In my module, users can generate README files even for disabled modules, so we use ExtensionDiscovery to ensure those modules are included in the selection list. Additionally, we exclude modules located under core/modules to avoid cluttering the list with core system modules not relevant for README generation. Using ExtensionDiscovery allows us to provide a more complete and relevant module list for our use case, while extension.list.module would restrict us to only enabled modules and miss disabled but potentially important modules.
Also, the module is installing fine on my Drupal 11 fresh site. I have attached a video for reference.
Thank you.
Comment #19
bigbabertHi @kul.pratap, can you check in you composer the minimum stability? have you installed drupal/ai module? I've tried to install on DrupalCMS. but this seems not be a relevant issue for that review.
Are you sure that $this->moduleHandler->moduleExists('block_content') looks only for enabled modules=? i'm quite sure that it return true if the module is in the core/contrib/custom module folder. Then you can get also the path of disabled module. The first method returns the module list service (\Drupal::service('extension.list.module')). The second method the module path for the given module name (\Drupal::service('extension.list.module')->getPath($module_name)).I see the issue you need to get also disabled modules that are not returned, i've verified, with $this->moduleHandler->moduleExists('block_content').
You would use \Drupal::service('extension.list.module')->getList(); that return also disabled modules. Screenshot here, eg. i don't have ai module enabled
I add also that there isn't input sanitization here for example:
$config = $this->configFactory->get('ai_readme_generator.settings')->get();
$apiKey = $config['api_key'] ?? NULL;
Above code also don't reflect best practice for drupal you should not use $config as array you can get the config value with $config->get('api_key')
or here:
$module_name = $form_state->getValue('module_name');
This are just examples user inputs in drupal should be always validated to avoid injections:
https://www.drupal.org/docs/administering-a-drupal-site/security-in-drup...
Comment #20
bigbabertComment #21
bigbabertJust reviewing the code that you pasted above:
The $readme_path variable in PHP in this way will be printed as string with value: $readme_path, not sure if it is expected behavior, i see same issue repeated
Also:
It is not best practice concatenate html tag with strings.
Comment #22
avpadernoThat is not true. Supposing that
$readme_pathcontains'path', the output of"✅ README.md generated at: $readme_path"would be"✅ README.md generated at: path".That is not true.
Such simple strings can contain XML/HMTL markup. If it were a more complex, dynamic, string, it could be replaced by a render array or created using a theme hook.
In the case of translatable string, HTML markup is allowed, even if it is suggested to reduce that to the minimum.
Comment #23
bigbabertOh i was not aware , always used to concatenate with {} variable inside string, good to know.
Stille there are other pending feedback i'll summarize here:
You would use \Drupal::service('extension.list.module')->getList(); that return also disabled modules. Screenshot here, eg. i don't have ai module enabled
I add also that there isn't input sanitization here for example:
$config = $this->configFactory->get('ai_readme_generator.settings')->get();
$apiKey = $config['api_key'] ?? NULL;
Above code also don't reflect best practice for drupal you should not use $config as array you can get the config value with $config->get('api_key')
or here:
$module_name = $form_state->getValue('module_name');
composer minumum stability concern for stable module
Thanks
Comment #24
avpadernoSanitization is done when user-entered input is rendered in a page; in other cases, it is not done.
Comment #25
kul.pratap commented@avpaderno, since you haven't suggested any changes for now, everything looks good?.
Comment #26
kul.pratap commented@avpaderno So, shall we move forward?
Comment #27
avpadernoThank you for your contribution and for your patience with the review process!
I am going to update your account so you can opt into security advisory coverage any project you create, including the projects you already created.
These are some recommended readings to help you with maintainership:
You can find more contributors chatting on Slack or IRC in #drupal-contribute. So, come hang out and stay involved!
Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
I thank also all the reviewers for helping with these applications.
Comment #28
avpadernoComment #29
kul.pratap commentedThanks to all reviewers.