X-Git-Url: http://www.aleph1.co.uk/gitweb/?p=yaffs-website;a=blobdiff_plain;f=web%2Fmodules%2Fcontrib%2Fsecurity_review%2Fsrc%2FChecks%2FField.php;fp=web%2Fmodules%2Fcontrib%2Fsecurity_review%2Fsrc%2FChecks%2FField.php;h=fa0e6e72ded630ac68b8715ba0f4a24490344bb2;hp=0000000000000000000000000000000000000000;hb=74df008bdbb3a11eeea356744f39b802369bda3c;hpb=419f97be044f1aebd0713921ee604841127e9e84
diff --git a/web/modules/contrib/security_review/src/Checks/Field.php b/web/modules/contrib/security_review/src/Checks/Field.php
new file mode 100644
index 000000000..fa0e6e72d
--- /dev/null
+++ b/web/modules/contrib/security_review/src/Checks/Field.php
@@ -0,0 +1,211 @@
+ 'script',
+ 'PHP' => '?php',
+ ];
+
+ // Load all of the entities.
+ $entities = [];
+ $bundle_info = $this->entityManager()->getAllBundleInfo();
+ foreach ($bundle_info as $entity_type_id => $bundles) {
+ $current = $this->entityManager()
+ ->getStorage($entity_type_id)
+ ->loadMultiple();
+ $entities = array_merge($entities, $current);
+ }
+
+ // Search for text fields.
+ $text_items = [];
+ foreach ($entities as $entity) {
+ if ($entity instanceof FieldableEntityInterface) {
+ /** @var FieldableEntityInterface $entity */
+ foreach ($entity->getFields() as $field_list) {
+ foreach ($field_list as $field_item) {
+ if ($field_item instanceof TextItemBase) {
+ /** @var TextItemBase $item */
+ // Text field found.
+ $text_items[] = $field_item;
+ }
+ }
+ }
+ }
+ }
+
+ // Scan the text items for vulnerabilities.
+ foreach ($text_items as $item) {
+ $entity = $item->getEntity();
+ foreach ($item->getProperties() as $property) {
+ /** @var TypedDataInterface $property */
+ $value = $property->getValue();
+ if (is_string($value)) {
+ $field_name = $item->getFieldDefinition()->getLabel();
+ foreach ($tags as $vulnerability => $tag) {
+ if (strpos($value, '<' . $tag) !== FALSE) {
+ // Vulnerability found.
+ $findings[$entity->getEntityTypeId()][$entity->id()][$field_name][] = $vulnerability;
+ }
+ }
+ }
+ }
+ }
+
+ if (!empty($findings)) {
+ $result = CheckResult::FAIL;
+ }
+
+ return $this->createResult($result, $findings);
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function help() {
+ $paragraphs = [];
+ $paragraphs[] = $this->t('Script and PHP code in content does not align with Drupal best practices and may be a vulnerability if an untrusted user is allowed to edit such content. It is recommended you remove such contents.');
+
+ return [
+ '#theme' => 'check_help',
+ '#title' => $this->t('Dangerous tags in content'),
+ '#paragraphs' => $paragraphs,
+ ];
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function evaluate(CheckResult $result) {
+ $findings = $result->findings();
+ if (empty($findings)) {
+ return [];
+ }
+
+ $paragraphs = [];
+ $paragraphs[] = $this->t('The following items potentially have dangerous tags.');
+
+ $items = [];
+ foreach ($findings as $entity_type_id => $entities) {
+ foreach ($entities as $entity_id => $fields) {
+ $entity = $this->entityManager()
+ ->getStorage($entity_type_id)
+ ->load($entity_id);
+
+ foreach ($fields as $field => $finding) {
+ $url = $entity->toUrl('edit-form');
+ if ($url === NULL) {
+ $url = $entity->toUrl();
+ }
+ $items[] = $this->t(
+ '@vulnerabilities found in @field field of @label',
+ [
+ '@vulnerabilities' => implode(' and ', $finding),
+ '@field' => $field,
+ '@label' => $entity->label(),
+ ':url' => $url->toString(),
+ ]
+ );
+ }
+ }
+ }
+
+ return [
+ '#theme' => 'check_evaluation',
+ '#paragraphs' => $paragraphs,
+ '#items' => $items,
+ ];
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function evaluatePlain(CheckResult $result) {
+ $findings = $result->findings();
+ if (empty($findings)) {
+ return '';
+ }
+
+ $output = '';
+ foreach ($findings as $entity_type_id => $entities) {
+ foreach ($entities as $entity_id => $fields) {
+ $entity = $this->entityManager()
+ ->getStorage($entity_type_id)
+ ->load($entity_id);
+
+ foreach ($fields as $field => $finding) {
+ $url = $entity->toUrl('edit-form');
+ if ($url === NULL) {
+ $url = $entity->toUrl();
+ }
+ $output .= "\t" . $this->t(
+ '@vulnerabilities in @field of :link',
+ [
+ '@vulnerabilities' => implode(' and ', $finding),
+ '@field' => $field,
+ ':link' => $url->toString(),
+ ]
+ ) . "\n";
+ }
+ }
+ }
+
+ return $output;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function getMessage($result_const) {
+ switch ($result_const) {
+ case CheckResult::SUCCESS:
+ return $this->t('Dangerous tags were not found in any submitted content (fields).');
+
+ case CheckResult::FAIL:
+ return $this->t('Dangerous tags were found in submitted content (fields).');
+
+ default:
+ return $this->t('Unexpected result.');
+ }
+ }
+
+}