Problem/Motivation

Drupal FIT currently does not detect suspicious or unsafe routes in the menu/router system, which can allow malicious or misconfigured entries to expose admin paths or execute insecure callbacks without proper access control.

Steps to reproduce

Proposed resolution

Add a new Security FitCheck plugin MenuRouterMaliciousEntryCheck that:

  • Scans all routes/menu entries for unsafe patterns, such as admin-style paths exposed to non-admin roles or routes without proper access checks.
  • Flags any potentially malicious or misconfigured entries with a default FitWeight::High, and escalates to FitWeight::Critical when an exposed route grants access to clearly sensitive/admin functionality.
  • Reports the affected routes in the FitResult so site owners can review, tighten access, or remove the problematic entries.

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork drupalfit-3558965

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

harivansh created an issue. See original summary.

harivansh’s picture

Issue summary: View changes
harivansh’s picture

Issue summary: View changes
harivansh’s picture

shubham.prakash made their first commit to this issue’s fork.

shubham.prakash’s picture

Status: Active » Needs review

harivansh’s picture

Status: Needs review » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

harivansh’s picture

Status: Fixed » Closed (fixed)