Detect Security Advisories from Starterkit-Themes in Child-Themes

Created on 20 October 2023, about 1 year ago
Updated 9 November 2023, about 1 year ago

"Child-Theme" in this context means any theme that was created from a Starterkit Theme.

Problem/Motivation

A Starterkit Theme might contain a security issue, that has been fixed in the current version. If the Child-Theme was created prior to the fix, the Child-Theme might still contain the security issue. But because the Starterkit Theme may have already been updated or removed from the codebase entirely, Drupal will no longer inform about the issue in /admin/reports/status.

Steps to reproduce

I didn't find any Themes with security issues, so I can't reproduce it for now.

Proposed resolution

Drupal should warn about potential security risks in Sub-Themes. It can do this by looking up the generator Value in the .info.yml file of the Child-Themes, and inheriting any Security advisories for the specified Starterkit-Theme. The generator though currently does not contain the drupal.org project name, only the name of the theme extension. While these are in most case the same they are not guaranteed to be the same. They can completely different . In fact there is no guarantee that the machine name of the theme extension is not the same as a different project name on drupal.org. For this reason the generator key will either to be updated to also contain the project name or the project name will need to be saved elsewhere so it can be used to fetch the Update XML from drupal.org.

This functionality will likely need to be added to the Update module as it has the functionality to fetch the Update XML which has the information about security releases. Currently the Update module does not fetch Update XML any projects that are not in the current codebase

Additionally, there should be a way for maintainers of the Child-Theme to mark a Security advisories as resolved, without having to update the generator Value. (For Example, if the affected Twig-Template has been deleted from the Child-Theme). This could happen in the .info.yml file, by listing ignored Security Advisories under a ignored_security_advisories-Key.

Remaining tasks

Update current documentation

The current documentation for Starter Kit does mention that fact that security advisories for the source theme may affect starter kit themes. It might be to update that.

The documentation does have a Tracking upstream changes section but it does not give any indication on how you might do this.
Actually implementing this feature is very large task so it probably makes sense to at least update the docs.

There are a couple options for keeping track of security updates:

  1. Leave the source theme in the codebase and enable the update module. You don't have to have the theme installed but you would have to set the Update module to check for updates in uninstalled extensions
  2. Leave the source theme in the codebase but do not enable the update module. This will still alert you to security advisories via composer audit as long as the theme was installed via Composer. It would even be possible to set installer-paths in the composer.json have this theme be kept in location where Drupal itself would not find it to avoid it accidentally being enabled.

Unsupported status

Determine how to handle the supported status of the projects and branches

For instance:

  1. Monday: a theme may be generated using the 1.0.0 version of ThemeA
  2. ThemeA is removed from the codebase at this time
  3. Tuesday: The Theme project is marked as unsupported or the 1.0.x branch of the theme is marked as unsupported

In this case the theme will not receive and any security release but that does not mean there are not security issues.
Does this matter to the site that has theme generator from themeA 1.0.0? If we add functionality to show security releases for a theme that is not currently installed because it might affect a generated theme will the site owner understand project also might be marked as unsupported and therefore not get security releases?

Supported branches

If a theme was generator from 1.0.0 and 1.x is marked as unsupported it will not receive security releases. Should we keep showing security release information for 2.x, 3.x and beyond?

  • Find a Theme with an outdated Security advisories and add "Steps to Reproduce"
  • Refine remaining tasks

User interface changes

API changes

  • The THEME.info.yml file conatins a new key ignored_security_advisories: string[]|Null containing a List of ignored Security Advisories.

Data model changes

Release notes snippet

✨ Feature request
Status

Active

Version

11.0 πŸ”₯

Component
StarterkitΒ  β†’

Last updated 7 days ago

No maintainer
Created by

πŸ‡©πŸ‡ͺGermany RobinCS

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @RobinCS
  • Status changed to Active about 1 year ago
  • πŸ‡ΊπŸ‡ΈUnited States tedbow Ithaca, NY, USA

    πŸ‘‹Hi, one of the co-maintainers of the core Update module here

    I updated the summary because this would probably live in the Update module. I am leaving the Component as "Starterkit theme" for now because it might be easier for people interested to find it.

    Also I think ignored_security_advisories should probably be a single value of highest security advisory that has been checked. If there is security advisory for a theme project it may or may not affect a theme generated from theme extension in that project.

    Any theme project on drupal.org can contain 1 or more actual theme extension.

  • πŸ‡ΊπŸ‡ΈUnited States tedbow Ithaca, NY, USA

    Added a section about current documentation and way you could keep track of security advisories without any changes to core

Production build 0.71.5 2024