Problem/Motivation

In this Drupal application, the Composer vendor directory may be located inside the publicly accessible webroot, which can expose library source code and tooling to direct HTTP access and increase the risk of information disclosure or exploitation.

Steps to reproduce

Proposed resolution

Add a new Security FitCheck plugin VendorDirectoryOutsideWebrootCheck that:

  • Determines the webroot path and the current location of the vendor directory for the Drupal installation.
  • Fails with FitWeight::High if vendor is inside the webroot (or otherwise directly web-accessible), and passes with FitWeight::Ok when it is outside or properly protected.
  • Outputs a short help message recommending moving vendor outside the webroot or blocking HTTP access to it at the server level.

Remaining tasks

User interface changes

API changes

Data model changes

CommentFileSizeAuthor
#4 3558970-4.patch5.98 KBshubham.prakash

Issue fork drupalfit-3558970

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

harivansh created an issue. See original summary.

harivansh’s picture

Issue summary: View changes
shubham.prakash’s picture

Assigned: Unassigned » shubham.prakash
shubham.prakash’s picture

Assigned: shubham.prakash » Unassigned
Status: Active » Needs review
StatusFileSize
new5.98 KB

harivansh’s picture

Status: Needs review » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

harivansh’s picture

Status: Fixed » Closed (fixed)