5 * Contains \Drupal\security_review\Checks\Field.
8 namespace Drupal\security_review\Checks;
10 use Drupal\Core\Entity\Entity;
11 use Drupal\Core\Entity\FieldableEntityInterface;
12 use Drupal\Core\TypedData\TypedDataInterface;
13 use Drupal\security_review\Check;
14 use Drupal\security_review\CheckResult;
15 use Drupal\text\Plugin\Field\FieldType\TextItemBase;
18 * Checks for Javascript and PHP in submitted content.
20 class Field extends Check {
25 public function getNamespace() {
26 return 'Security Review';
32 public function getTitle() {
39 public function getMachineTitle() {
46 public function run() {
47 $result = CheckResult::SUCCESS;
51 'Javascript' => 'script',
55 // Load all of the entities.
57 $bundle_info = $this->entityManager()->getAllBundleInfo();
58 foreach ($bundle_info as $entity_type_id => $bundles) {
59 $current = $this->entityManager()
60 ->getStorage($entity_type_id)
62 $entities = array_merge($entities, $current);
65 // Search for text fields.
67 foreach ($entities as $entity) {
68 if ($entity instanceof FieldableEntityInterface) {
69 /** @var FieldableEntityInterface $entity */
70 foreach ($entity->getFields() as $field_list) {
71 foreach ($field_list as $field_item) {
72 if ($field_item instanceof TextItemBase) {
73 /** @var TextItemBase $item */
75 $text_items[] = $field_item;
82 // Scan the text items for vulnerabilities.
83 foreach ($text_items as $item) {
84 $entity = $item->getEntity();
85 foreach ($item->getProperties() as $property) {
86 /** @var TypedDataInterface $property */
87 $value = $property->getValue();
88 if (is_string($value)) {
89 $field_name = $item->getFieldDefinition()->getLabel();
90 foreach ($tags as $vulnerability => $tag) {
91 if (strpos($value, '<' . $tag) !== FALSE) {
92 // Vulnerability found.
93 $findings[$entity->getEntityTypeId()][$entity->id()][$field_name][] = $vulnerability;
100 if (!empty($findings)) {
101 $result = CheckResult::FAIL;
104 return $this->createResult($result, $findings);
110 public function help() {
112 $paragraphs[] = $this->t('Script and PHP code in content does not align with Drupal best practices and may be a vulnerability if an untrusted user is allowed to edit such content. It is recommended you remove such contents.');
115 '#theme' => 'check_help',
116 '#title' => $this->t('Dangerous tags in content'),
117 '#paragraphs' => $paragraphs,
124 public function evaluate(CheckResult $result) {
125 $findings = $result->findings();
126 if (empty($findings)) {
131 $paragraphs[] = $this->t('The following items potentially have dangerous tags.');
134 foreach ($findings as $entity_type_id => $entities) {
135 foreach ($entities as $entity_id => $fields) {
136 $entity = $this->entityManager()
137 ->getStorage($entity_type_id)
140 foreach ($fields as $field => $finding) {
141 $url = $entity->toUrl('edit-form')->toString();
143 $url = $entity->toUrl()->toString();
146 '@vulnerabilities found in <em>@field</em> field of <a href=":url">@label</a>',
148 '@vulnerabilities' => implode(' and ', $finding),
150 '@label' => $entity->label(),
159 '#theme' => 'check_evaluation',
160 '#paragraphs' => $paragraphs,
168 public function evaluatePlain(CheckResult $result) {
169 $findings = $result->findings();
170 if (empty($findings)) {
175 foreach ($findings as $entity_type_id => $entities) {
176 foreach ($entities as $entity_id => $fields) {
177 $entity = $this->entityManager()
178 ->getStorage($entity_type_id)
181 foreach ($fields as $field => $finding) {
182 $url = $entity->urlInfo('edit-form');
184 $url = $entity->url();
186 $output .= "\t" . $this->t(
187 '@vulnerabilities in @field of :link',
189 '@vulnerabilities' => implode(' and ', $finding),
191 ':link' => $url->toString(),
204 public function getMessage($result_const) {
205 switch ($result_const) {
206 case CheckResult::SUCCESS:
207 return $this->t('Dangerous tags were not found in any submitted content (fields).');
209 case CheckResult::FAIL:
210 return $this->t('Dangerous tags were found in submitted content (fields).');
213 return $this->t('Unexpected result.');