3 namespace Drupal\security_review\Checks;
5 use Drupal\Core\Entity\Entity;
6 use Drupal\Core\Entity\Exception\UndefinedLinkTemplateException;
7 use Drupal\field\Entity\FieldStorageConfig;
8 use Drupal\security_review\Check;
9 use Drupal\security_review\CheckResult;
12 * Checks for Javascript and PHP in submitted content.
14 class Field extends Check {
19 public function getNamespace() {
20 return 'Security Review';
26 public function getTitle() {
33 public function getMachineTitle() {
40 public function run() {
41 $result = CheckResult::SUCCESS;
49 'Javascript' => 'script',
53 /** @var \Drupal\Core\Entity\EntityTypeManagerInterface $entity_type_manager */
54 $entity_type_manager = \Drupal::service('entity_type.manager');
55 /** @var \Drupal\Core\Entity\EntityFieldManagerInterface $field_manager */
56 $field_manager = \Drupal::service('entity_field.manager');
57 foreach ($field_manager->getFieldMap() as $entity_type_id => $fields) {
58 $field_storage_definitions = $field_manager->getFieldStorageDefinitions($entity_type_id);
59 foreach ($fields as $field_name => $field) {
60 if (!isset($field_storage_definitions[$field_name])) {
63 $field_storage_definition = $field_storage_definitions[$field_name];
64 if (in_array($field_storage_definition->getType(), $field_types)) {
65 if ($field_storage_definition instanceof FieldStorageConfig) {
66 $table = $entity_type_id . '__' . $field_name;
71 $table = $entity_type_id . '_field_data';
73 $id = $entity_type_manager->getDefinition($entity_type_id)->getKey('id');
75 $rows = \Drupal::database()->select($table, 't')
79 foreach ($rows as $row) {
80 foreach (array_keys($field_storage_definition->getSchema()['columns']) as $column) {
81 $column_name = $field_name . $separator . $column;
82 foreach ($tags as $vulnerability => $tag) {
83 if (strpos($row->{$column_name}, '<' . $tag) !== FALSE) {
84 // Vulnerability found.
85 $findings[$entity_type_id][$row->{$id}][$field_name][] = $vulnerability;
94 if (!empty($findings)) {
95 $result = CheckResult::FAIL;
98 return $this->createResult($result, $findings);
104 public function help() {
106 $paragraphs[] = $this->t('Script and PHP code in content does not align with Drupal best practices and may be a vulnerability if an untrusted user is allowed to edit such content. It is recommended you remove such contents.');
109 '#theme' => 'check_help',
110 '#title' => $this->t('Dangerous tags in content'),
111 '#paragraphs' => $paragraphs,
118 public function evaluate(CheckResult $result) {
119 $findings = $result->findings();
120 if (empty($findings)) {
125 $paragraphs[] = $this->t('The following items potentially have dangerous tags.');
128 foreach ($findings as $entity_type_id => $entities) {
129 foreach ($entities as $entity_id => $fields) {
130 $entity = $this->entityManager()
131 ->getStorage($entity_type_id)
134 foreach ($fields as $field => $finding) {
136 '@vulnerabilities found in <em>@field</em> field of <a href=":url">@label</a>',
138 '@vulnerabilities' => implode(' and ', $finding),
140 '@label' => $entity->label(),
141 ':url' => $this->getEntityLink($entity),
149 '#theme' => 'check_evaluation',
150 '#paragraphs' => $paragraphs,
156 * Attempt to get a good link for the given entity.
158 * Falls back on a string with entity type id and id if no good link can
161 * @param \Drupal\Core\Entity\Entity $entity
166 protected function getEntityLink(Entity $entity) {
168 $url = $entity->toUrl('edit-form');
170 catch (UndefinedLinkTemplateException $e) {
175 $url = $entity->toUrl();
177 catch (UndefinedLinkTemplateException $e) {
182 return $url !== NULL ? $url->toString() : ($entity->getEntityTypeId() . ':' . $entity->id());
188 public function evaluatePlain(CheckResult $result) {
189 $findings = $result->findings();
190 if (empty($findings)) {
195 foreach ($findings as $entity_type_id => $entities) {
196 foreach ($entities as $entity_id => $fields) {
197 $entity = $this->entityManager()
198 ->getStorage($entity_type_id)
201 foreach ($fields as $field => $finding) {
202 $output .= "\t" . $this->t(
203 '@vulnerabilities in @field of :link',
205 '@vulnerabilities' => implode(' and ', $finding),
207 ':link' => $this->getEntityLink($entity),
220 public function getMessage($result_const) {
221 switch ($result_const) {
222 case CheckResult::SUCCESS:
223 return $this->t('Dangerous tags were not found in any submitted content (fields).');
225 case CheckResult::FAIL:
226 return $this->t('Dangerous tags were found in submitted content (fields).');
229 return $this->t('Unexpected result.');