3 namespace Drupal\security_review\Checks;
5 use Drupal\Core\Entity\FieldableEntityInterface;
6 use Drupal\Core\TypedData\TypedDataInterface;
7 use Drupal\security_review\Check;
8 use Drupal\security_review\CheckResult;
9 use Drupal\text\Plugin\Field\FieldType\TextItemBase;
12 * Checks for Javascript and PHP in submitted content.
14 class Field extends Check {
19 public function getNamespace() {
20 return 'Security Review';
26 public function getTitle() {
33 public function getMachineTitle() {
40 public function run() {
41 $result = CheckResult::SUCCESS;
45 'Javascript' => 'script',
49 // Load all of the entities.
51 $bundle_info = $this->entityManager()->getAllBundleInfo();
52 foreach ($bundle_info as $entity_type_id => $bundles) {
53 $current = $this->entityManager()
54 ->getStorage($entity_type_id)
56 $entities = array_merge($entities, $current);
59 // Search for text fields.
61 foreach ($entities as $entity) {
62 if ($entity instanceof FieldableEntityInterface) {
63 /** @var FieldableEntityInterface $entity */
64 foreach ($entity->getFields() as $field_list) {
65 foreach ($field_list as $field_item) {
66 if ($field_item instanceof TextItemBase) {
67 /** @var TextItemBase $item */
69 $text_items[] = $field_item;
76 // Scan the text items for vulnerabilities.
77 foreach ($text_items as $item) {
78 $entity = $item->getEntity();
79 foreach ($item->getProperties() as $property) {
80 /** @var TypedDataInterface $property */
81 $value = $property->getValue();
82 if (is_string($value)) {
83 $field_name = $item->getFieldDefinition()->getLabel();
84 foreach ($tags as $vulnerability => $tag) {
85 if (strpos($value, '<' . $tag) !== FALSE) {
86 // Vulnerability found.
87 $findings[$entity->getEntityTypeId()][$entity->id()][$field_name][] = $vulnerability;
94 if (!empty($findings)) {
95 $result = CheckResult::FAIL;
98 return $this->createResult($result, $findings);
104 public function help() {
106 $paragraphs[] = $this->t('Script and PHP code in content does not align with Drupal best practices and may be a vulnerability if an untrusted user is allowed to edit such content. It is recommended you remove such contents.');
109 '#theme' => 'check_help',
110 '#title' => $this->t('Dangerous tags in content'),
111 '#paragraphs' => $paragraphs,
118 public function evaluate(CheckResult $result) {
119 $findings = $result->findings();
120 if (empty($findings)) {
125 $paragraphs[] = $this->t('The following items potentially have dangerous tags.');
128 foreach ($findings as $entity_type_id => $entities) {
129 foreach ($entities as $entity_id => $fields) {
130 $entity = $this->entityManager()
131 ->getStorage($entity_type_id)
134 foreach ($fields as $field => $finding) {
135 $url = $entity->toUrl('edit-form');
137 $url = $entity->toUrl();
140 '@vulnerabilities found in <em>@field</em> field of <a href=":url">@label</a>',
142 '@vulnerabilities' => implode(' and ', $finding),
144 '@label' => $entity->label(),
145 ':url' => $url->toString(),
153 '#theme' => 'check_evaluation',
154 '#paragraphs' => $paragraphs,
162 public function evaluatePlain(CheckResult $result) {
163 $findings = $result->findings();
164 if (empty($findings)) {
169 foreach ($findings as $entity_type_id => $entities) {
170 foreach ($entities as $entity_id => $fields) {
171 $entity = $this->entityManager()
172 ->getStorage($entity_type_id)
175 foreach ($fields as $field => $finding) {
176 $url = $entity->toUrl('edit-form');
178 $url = $entity->toUrl();
180 $output .= "\t" . $this->t(
181 '@vulnerabilities in @field of :link',
183 '@vulnerabilities' => implode(' and ', $finding),
185 ':link' => $url->toString(),
198 public function getMessage($result_const) {
199 switch ($result_const) {
200 case CheckResult::SUCCESS:
201 return $this->t('Dangerous tags were not found in any submitted content (fields).');
203 case CheckResult::FAIL:
204 return $this->t('Dangerous tags were found in submitted content (fields).');
207 return $this->t('Unexpected result.');