Closed (fixed)
Project:
Drupal.org security advisory coverage applications
Component:
module
Priority:
Normal
Category:
Task
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
26 Jan 2026 at 10:28 UTC
Updated:
25 May 2026 at 11:10 UTC
Jump to comment: Most recent
Comments
Comment #2
vishal.kadamComment #3
avpadernoThank you for applying!
Before giving links helpful to understand how the review process works, what to expect from a review, and what to do to avoid a review takes more time than needed, I would like to thank all the reviewers for the work they do.
These applications are volunters-driven, which also means it is not possible to predict when an application will be marked fixed and the applicant will get the permission to opt projects into security advisory policy. While we aim to make an application as quick as possible, it is also important for us that more people review the project used for an application. In this way, we make sure applications do not miss some important points that should be instead reported.
Applications are not meant to be complete debugging sessions that eliminate every existing bug, though. I apologize if sometimes applications seem to go into too-detailed reviews.
Please read Review process for security advisory coverage: What to expect for more details and Security advisory coverage application checklist to understand what reviewers look for. Tips for ensuring a smooth review gives some hints for a smoother review.
The important notes are the following.
Keep in mind that once the project is opted into security advisory coverage, only Security Team members may change coverage.
To the reviewers
Please read How to review security advisory coverage applications, Application workflow, What to cover in an application review, and Tools to use for reviews.
The important notes are the following.
For new reviewers, I would also suggest to first read In which way the issue queue for coverage applications is different from other project queues.
Comment #4
avpadernoRemember to change status, when the project is ready for review, as in this queue Active means Don't review yet the project I am using for this application.
Comment #5
tleuillier commentedComment #6
vishal.kadam1. main is acceptable as branch name, but it is not yet fully supported on drupal.org. For the moment, it is better to avoid it.
2. FILE: README.md
The README file is missing the required sections - Requirements, Installation, and Configuration.
3. FILE: composer.json
It is also not necessary to add the Drupal core requirements in the composer.json file: The Drupal.org Composer façade will add them from the .info.yml file.
4. FILE: status_block.module
The module name in the description is wrong. It should be the name of the module given in .info.yml file.
5. FILE: src/Plugin/Block/StatusBlock.php
FILE: src/Plugin/StatusBlockData/CurrentTheme.php
New modules, which are compatible with Drupal 10 and higher versions are expected to include type declarations in property definitions, and use constructor property promotion.
Comment #7
tleuillier commentedThanks for your review. The changes were made in the branch "1.0.x".
1. Branch Main has been deleted.
5. I did the changes. But I would like some clarification on the naming conventions for class properties. As it was in constructor with properties of the parent class, I use snake case for the properties for consistency. However, naming conventions specify that camel case should be used for class properties. And, so, I use camel case when I use constructor property promotion, which leads to inconsistency between classes (that's why I didn't use constructor property promotion when I should give params to the parent constructor).
What's the right thing to do? Do I have to use parent properties in snake case and class properties in camel case in the same constructor? Or do I have to use snake case for child class properties ?
Comment #8
bbu23Hi @tleuillier,
You should use camel case for properties, to comply with Drupal's coding standards. Like so:
Use property promotion with camelCase even when it creates visual inconsistency with parent parameters. The inconsistency is a temporary artifact of Drupal's evolution, and your code should follow current standards, not legacy patterns.
The visual inconsistency isn't your fault, and it's perfectly fine. It aligns with the coding standards.
Comment #9
bbu23Comment #10
tleuillier commentedOk. Thank you for the explanation.
The changes have been pushed.
Comment #11
oivanov commentedI reviewed the 1.0.x branch of status_block (commit 8f5126a).
Previous reviewer issues
- Branch naming (1.0.x): Fixed.
- README sections: Fixed.
- composer.json core requirement removed: Fixed.
- Module docblock: Fixed.
- camelCase promoted properties (Comment #8): Not fully fixed -- `$theme_handler` and `$theme_manager` in `CurrentTheme.php` (lines 43-44) are still snake_case. Also `$display_label` in `StatusBlockData.php` (line 17).
Security issues
1. No access control on the block (`StatusBlock.php` lines 68-69): `blockAccess()` checks for entity_browser routes but has no permission check. The block exposes Drupal version, environment name, and active theme to any user who can view the region, including anonymous users. Should require a permission like `administer site configuration` or a custom permission.
2. Unguarded `$_ENV` access (`StatusBlock.php` line 179, `Environment.php` line 39): `$_ENV[$env_name]` will throw a PHP warning if the environment variable is not set. Most sites won't have the expected variable. Should use `$_ENV[$env_name] ?? ''`.
3. Unsanitized CSS class from environment variable (`StatusBlock.php` line 188): The raw `$_ENV` value is concatenated into a CSS class (`'status-env-' . $env`). Should use `Html::cleanCssIdentifier()`.
Bugs
4. Double hook_help on Drupal 11 (`status_block.module` line 14 + `Help.php` line 12): Both a procedural hook function AND a `#[Hook('help')]` attribute exist, so the hook fires twice on Drupal 11. Remove one or the other.
5. JavaScript bug (`config.js` line 23): `$rowElement.find('select.group-select').value = elem` sets a property on a jQuery object, not the DOM element. Should be `.val(elem)`. The drag-and-drop group reassignment is non-functional.
6. Missing null checks (`StatusBlock.php` lines 176-178): Code assumes `plugin_order['environment']` always exists in configuration. A freshly placed block with no saved config will throw warnings.
Coding standards
7. Loose comparisons (`==` instead of `===`): `StatusBlock.php` lines 124, 380.
8. Double-quoted array keys: `StatusBlock.php` lines 252, 269, 313.
9. Redundant `use StringTranslationTrait` in `Message.php` line 21 (parent already has it).
10. Missing
</p>tag in `Help.php` line 33. Help text references "StatusBarData" instead of "StatusBlockData" (line 34).11. Attribute placed before docblock in `StatusBlockData.php` (lines 8-9) -- should be after.
12. Missing return type on `DataGroup::getOptions()`.
13. `getCacheMaxAge()` returns 0 -- disabling caching entirely is heavy-handed for mostly static data. Consider cache tags/contexts.
14. README "Community Documentation" section says "To be done soon..." -- should be removed or completed.
The module's architecture (custom plugin system, enum, attributes) is well-designed. Once the security and functional issues are resolved, this would be a good candidate. Setting to Needs work.
Comment #12
bbu23@oivanov since u are using AI to help drafting your feedback, u could at least make an effort to format the output from Markdown to html or plain text so that people can easily read it...
Comment #13
oivanov commentedme personally - I prefer Markdown to everything else, so I make an effort not to have to deal with HTML (definitely) or plain text (when I can).
If markdown is not acceptable - we can add that to the guidance. Let me know if you want me to do that
Comment #14
avpadernoAs a side note: We do not give any guidance about comment format because comments are expected to be formatted here as in any issue queue: HTML or plain text.
Since Markdown markup is not converted to HTML, and HTML is used to render both the comment and the issue page, it is better to stick with HTML or plain text. Otherwise, it happens what happened with point #10 in comment #11, which reads as Missing `` tag. (Yes, a
`character does not escape HTML tags.)Comment #15
oivanov commentedgot it! cleaned up the comment above
Comment #16
tleuillier commentedThank you for your review.
About Point 1 : I understand your point, but I think this is irrelevant as it can be managed in block configuration.
About Point 13 : I understand and I agree with you. I will look into properly integrating a solution in a future version.
The corrections have been made.
Comment #17
oivanov commentedFair point that block visibility can be configured per-role. However, since the block exposes system information (Drupal version, environment, theme) that aids site fingerprinting, a default permission check in blockAccess() would follow the secure-by-default principle.
It's a one-line addition that prevents accidental exposure if an admin places the block without configuring role restrictions.
Comment #18
batigolixHere are a couple more things to work on:
GitLab CI is properly configured with the standard Drupal template, but there are still some warnings. Try to resolve these
(*) Missing permission check in blockAccess() —
StatusBlock.php:69only excludes entity browser routes but performs no permission check. This module displays server environment information (Drupal version, environment variable values, active theme). Without a default permission inblockAccess(), the block relies entirely on placement configuration for access control. A secure-by-default approach would check for a permission likeadminister site configuration. The previous reviewer raised this same concern. See Block API: access control.(*) Unguarded $_ENV access —
StatusBlock.php:182reads$_ENV[$env_name]without a null coalescing fallback. If the configured environment variable does not exist, this triggers a PHP warning and returns null. Notably,Environment.php:39already uses the correct pattern:$_ENV[$env_name] ?? "". Apply the same fix in the block'sbuild()method.(+) Arbitrary environment variable exposure — The
env_namesetting (admin-configurable text field) allows reading any environment variable. An admin could inadvertently exposeDATABASE_URL,APP_SECRET, or similar sensitive values if the block is visible to lower-privileged users. Consider documenting this risk prominently in the form description, or validating against an allowlist.(+) Loose comparison —
StatusBlock.php:384uses==instead of===to compare group values. SinceDataGroupis a string-backed enum, use strict comparison for clarity and correctness.Untranslated string
"Not Found"inVersion.php:29— wrap in$this->t().Also the README could use some attention:
Formatting issues
<ol>,<ul>,<li>) is used instead of Markdown lists. Use dashes (-) for unordered lists and1.for ordered lists.*) for list — use dashes (-) per drupal.org convention.##headings (drupal.org convention).For more info see: drupal.org README template
Comment #19
tleuillier commentedThe corrections have been made. I added a new permission for the block.
Comment #20
derekspringer commentedManual Review
1.0.x.Composer\InstalledVersionswhich is part of Composer's runtime API.view status blockspermission properly gates block access viablockAccess(). Environment variable values are rendered through Twig auto-escaping, and CSS class output usesHtml::cleanCssIdentifier(). One concern remains: the admin-configurableenv_namefield (Environment.php:38) allows reading any$_ENVvariable, and the value is displayed to all users withview status blocks. The inline warning text is a reasonable mitigation for a development-oriented module, but it should be translatable (see #1 below).Environment.php:28-33: The warning message about sensitive data exposure uses raw HTML in#markupwithout$this->t(). Both the<strong>warning and the description paragraph should be wrapped in$this->t()for translation support.StatusBlock.php:182:$this->configuration['plugin_conf']['environment']['env_name']is accessed after checkingisset($this->configuration['plugin_order']['environment']['group']), but there is no check thatplugin_conf.environment.env_nameexists. If the environment plugin is ordered but not yet configured (e.g., imported config or fresh install), this will throw a PHP warning. Use null coalescing or anisset()guard.$_ENVdefault value inconsistency —StatusBlock.php:184falls back to"dev"when the env var is unset, butEnvironment.php:50falls back to"". This means the CSS class showsstatus-env-devwhile the rendered text shows nothing. Use the same default in both places.getCacheMaxAge()returns 0 —StatusBlock.php:79-81: This disables page caching for any page containing the block. Flagged in prior reviews and acknowledged. Consider using cache contexts (e.g.,route) or tags instead of disabling caching entirely, or at minimum document this performance impact in README.declare(strict_types=1)in all module PHP files (onlyGenericTest.phphas it).onceimported but unused inconfig.js:6— the IIFE receivesonceas a parameter but never references it. Remove from the function signature and the argument list.Status: Needs work — Untranslatable strings (#1) and missing null safety (#2) should be addressed.
Comment #21
tleuillier commentedThank you for your review.
I have corrected points #1, #2, #3 and #6.
For point #4, I plan to add it in a future release, with StatusBlock plugins that can modify the block cache values.
Comment #22
avpadernoJust to make clear the point about not duplicating the Drupal core requirements in the composer.json file: Applicants should know that the Drupal.org Composer façade adds the Drupal core requirements for the project when the composer.json file does not contain them. Not repeating them avoids any issue caused by the composer.json file having different Drupal core requirements than the ones contained in the .info.yml file.
I cannot think of any workflow where Composer is not used, given that Composer is required by Drupal core to gather the dependencies it needs. Therefore, I cannot think of any case where the Drupal.org Composer façade is not involved when site builders are requiring the modules necessary for their sites.
(I added the issue tag basing on the review done in the previous comment.)
Comment #23
vishal.kadamI am changing priority as per Issue priorities.
Comment #24
avpadernosrc/Plugin/StatusBlockData/CurrentTheme.php
Since the properties are private, the class itself should be final.
status_block.permissions.yml
There is a typo in the warning for the permission: It should be This permission is dangerous, not This permissions is dangerous.
Comment #25
avpadernoThank you for your contribution and for your patience with the review process!
I am going to update your account so you can opt into security advisory coverage any project you create, including the projects you already created.
These are some recommended readings to help you with maintainership:
You can find more contributors chatting on Slack or IRC in #drupal-contribute. So, come hang out and stay involved!
Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
I thank also all the reviewers for helping with these applications.
Comment #26
avpaderno