Disallow access to (core) development files using .htaccess

Comparing #36 and #35 seems we lost some test coverage for

+ // Ensure package.json and yarn.lock cannot be accessed.
+ $file_paths["$path/package.json"] = 403;
+ $file_paths["$path/yarn.lock"] = 403;
+

Is there a new way for testing that in D10 and that's why it was removed?

Hi @smustgrave

I remove them from the patch because we already have those lines one D10:

• https://git.drupalcode.org/project/drupal/-/blob/10.0.x/core/modules/sys...
• https://git.drupalcode.org/project/drupal/-/blob/10.1.x/core/modules/sys...

Cool in that case think what we have here is fine.

Thanks to all the people working in this.

I wanted to use this fix but the patch can't be use directly in composer. For example, if you add the patch from #36 to the patches section in composer.json composer is not able to patch drupal core because it can't find the files to patch. I think this is because the drupal/core project has a special treatment in composer.json (paths and so).

To make it work with a project using composer you have to modify the patch. I'm adding here the patch I'musing as text (based on #36), so it is not tested by the test run avoiding introducing noise to the issue. This is to help any other people that wants this functionality in their project.

Let me be clear about this: the following patch is for people that want to integrate this fix in a Drupal project manged by composer, this patch is not intended to be committed.

diff --git a/assets/scaffold/files/htaccess b/assets/scaffold/files/htaccess
index 116acf42fb..a46e1a871d 100644
--- a/assets/scaffold/files/htaccess
+++ b/assets/scaffold/files/htaccess
@@ -3,7 +3,7 @@
 #

 # Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
+<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json|phpcs\.xml\.dist|phpunit\.xml\.dist)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
   <IfModule mod_authz_core.c>
     Require all denied
   </IfModule>
diff --git a/assets/scaffold/files/web.config b/assets/scaffold/files/web.config
index b769e45e36..113ffc0201 100644
--- a/assets/scaffold/files/web.config
+++ b/assets/scaffold/files/web.config
@@ -22,7 +22,7 @@
     <rewrite>
       <rules>
         <rule name="Protect files and directories from prying eyes" stopProcessing="true">
-          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn.lock|package.json)$" />
+          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn\.lock|package\.json|phpcs\.xml\.dist|phpunit\.xml\.dist)$" />
           <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
         </rule>

diff --git a/modules/system/tests/fixtures/HtaccessTest/phpcs.xml.dist b/modules/system/tests/fixtures/HtaccessTest/phpcs.xml.dist
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/modules/system/tests/fixtures/HtaccessTest/phpunit.xml.dist b/modules/system/tests/fixtures/HtaccessTest/phpunit.xml.dist
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/modules/system/tests/src/Functional/System/HtaccessTest.php b/modules/system/tests/src/Functional/System/HtaccessTest.php
index 09046c446f..711ef5d042 100644
--- a/modules/system/tests/src/Functional/System/HtaccessTest.php
+++ b/modules/system/tests/src/Functional/System/HtaccessTest.php
@@ -87,6 +87,10 @@ protected function getProtectedFiles() {
       $file_paths["$path/access_test.$file_ext"] = 200;
     }

+    // Ensure development files cannot be accessed.
+    $file_paths["$path/phpcs.xml.dist"] = 403;
+    $file_paths["$path/phpunit.xml.dist"] = 403;
+
     // Ensure composer.json and composer.lock cannot be accessed.
     $file_paths["$path/composer.json"] = 403;
     $file_paths["$path/composer.lock"] = 403;

I believe this should only need to focus on .htaccess since 🌱 [policy, no patch] Drop support for Windows in production Needs review has been decided.