Trusting oembed resource responses can throws exceptions

Created on 7 May 2020, over 4 years ago

Updated 21 February 2023, almost 2 years ago

Problem/Motivation

Relying on the provider_name property from an oembed response can result in exceptions.

We should not be trusting a oembed provider to provide the same provider name as found in oembed.com/providers.json, two independent parties.

In various places, we already validate a URL by checking that a provider responds to a URL, then for some reason that provider is effectively discarded when we fetch the oembed resource, relying on the oembed resource to provide us a valid provider name in our system.

Take \Drupal\media\Plugin\Validation\Constraint\OEmbedResourceConstraintValidator::validate, which validates we have a provider for a URL by running $this->urlResolver->getProviderByUrl($url). Later in the method $this->resourceFetcher->fetchResource($resource_url); is executed. fetchResource calls createResource, which results in this behaviour.

Example

URL: https://www.reddit.com/r/aww/comments/get9f5/guess_youre_about_to_buy_every_toy_in_the_store/.

In the case of Reddit, in providers.json the provider_name is "Reddit", versus a response from Reddit itself has provider_name = 'reddit'. I dont think a reasonable fix is to simply lowercase everything.

Proposed solution: We should either be passing $provider down the stack, or re-running getProviderByUrl from within createResource.

Related example

Another similar but not exactly the same example of this is Sound Cloud. provider.json has a provider_name of SoundCloud, but resources returned from SoundCloud do not return a provider name. Supplying a provider_name in a resource response is also optional. In this case we have a provider already! But createResource currently isnt matching it up to the known provider. Retrieving a SoundCloud resource doesn't result in an exception, like Reddit resources, because the property is not present in the first place; NULL is set as the provider to \Drupal\media\OEmbed\Resource objects.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report

Status

Active

Version

10.1 ✨

Component

Media →

Last updated about 12 hours ago

Maintained by
🇳🇱Netherlands @seanB
🇩🇪Germany @chr.fritsch
🇺🇸United States @phenaproxima
🇪🇸Spain @marcoscano

Created by

🇦🇺Australia dpi Perth, Australia

Live updates comments and jobs are added and updated live.

oembed

Media Initiative

Triaged Media Initiative issue

Bug Smash Initiative

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment almost 2 years ago →
🇳🇿New Zealand quietone
Closed 🐛 Core media OEmbedResource provider validation needs to be case insensitive Closed: duplicate as a duplicate, adding credit. Added that standard template to the IS.
Comment almost 2 years ago →
🇦🇺Australia gargsuchi
quietone → credited gargsuchi → .
Comment almost 2 years ago →
🇺🇸United States Chris Burge
We haven't received any guidance on how to proceed; however, it strikes me that calling getProviderByUrl() in createResource() is OOP and passing

$provider<code> down the stack is not. My vote is to call <code>getProviderByUrl()
in createResource().

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024