Add support for configurable asset paths and stream wrapper added in Drupal core 10.1

Created on 26 December 2022, almost 2 years ago
Updated 23 January 2023, almost 2 years ago

Problem/Motivation

Drupal core is adding configurable CSS/JS asset paths and a new assets:// stream wrapper in 📌 Make css/js optimized assets path configurable Fixed . Security Review should include this as part of the default ignore list in the file permissions check.

Steps to reproduce

Either patch Drupal core (if less than 10.1) using the patch found in 📌 Make css/js optimized assets path configurable Fixed or install Drupa core 10.1. Configure an asset path that isn't the default public files directory path, e.g. /assets/css instead of /sites/default/files/css. Run Security Review file permissions check. It'll see the writable asset paths as insecure even when there's an .htaccess there to prevent PHP execution like in public files.

Proposed resolution

Add this to \Drupal\security_review\Checks\FilePermissions::getIgnoreList():

    // If the assets stream wrapper service exists, get the assets path.
    //
    // @see https://www.drupal.org/project/drupal/issues/3027639
    //   Drupal core issue to add this. Planned to be released in Drupal core
    //   10.1.
    //
    // @todo Inject this into the constructor?
    if ($this->container->has('stream_wrapper.assets')) {

      $assetsPath = $this->container->get('stream_wrapper.assets')->basePath();

      $ignore[] = \realpath($assetsPath);

    }

Remaining tasks

Do the above.

User interface changes

None?

API changes

None.

Data model changes

Probably none?

Feature request
Status

Fixed

Version

2.0

Component

Code

Created by

🇨🇦Canada ambient.impact Toronto

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024