Problem/Motivation

If I try to use any url token in an email handler while a webform is configured to not save results, then an exception is thrown:
Drupal\Core\Entity\EntityMalformedException: The "webform_submission" entity cannot have a URI as it does not have an ID in Drupal\Core\Entity\EntityBase->toUrl() (line 161 of /var/www/html/web/core/lib/Drupal/Core/Entity/EntityBase.php).

Steps to reproduce

Use a token such as [webform_workflow:transition-url:?:unaliased] on a handler on a form which is configured not to save submissions and submit the form.

Proposed resolution

I know this is not a real life situation because workflows cannot be used if the submissions are not saved, but it was mentioned in a security audit and provides (in theory) an attack vector for a malicious user. Simple check and silently failing will prevent the exception to be thrown. Added logging will help the site-builder to solve the problem.

CommentFileSizeAuthor
#3 prevent-exception-3556600-3.patch1.41 KBmerilainen

Issue fork webform_workflows_element-3556600

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

merilainen created an issue. See original summary.

merilainen opened merge request !33

merilainen’s picture

merilainen commented
Status: Active » Needs review
StatusFileSize
new prevent-exception-3556600-3.patch1.41 KB

MR created, patch provided for composer.

mably’s picture

mably commented

@merilainen could you please share a few more details on how to reproduce the issue?

I would like to test the MR before merging. Thanks.

merilainen’s picture

merilainen commented

I have written in the ticket description:
"Use a token such as [webform_workflow:transition-url:?:unaliased] on a handler on a form which is configured not to save submissions and submit the form."

So if you configure "Disable saving of submissions" in the form setting and then go and add an email handler for example which will try to use a webform_workflow url token such as [webform_workflow:transition-url:?:unaliased] this will produce an error because entity is not created and thus a url cannot be provided for the submission. So this is incorrect configuration but it causes an exception which malicious user could use to break a site.

mably’s picture

mably commented

@merilainen thanks for you comment, I've been able to reproduce the problem locally.

Looks like we might still want to generate URL for old existing submissions even after having disabled submission saving at the webform level.

May be we could simply disable URL token processing if the submission has no id?

We could do something like this (MR 41):

  if (
    $type === 'webform_workflow'
    && isset($data['webform_submission'])
    && $data['webform_submission']->id() !== NULL
  ) {

This solution doesn't replace the tokens, but it's probably better than hiding the problem in empty urls or link hrefs.

We could also simply disable the links but still display the corresponding labels as plain text for the transition-link token.

What do you think?

mably opened merge request !41

mably’s picture

mably commented
Status: Needs review » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.