- Issue created by @solideogloria
DrupacleConnection stores the username and password in the config files, which are normally checked into a site's code repository. This is not secure.
* config_export = {
* "id",
* "label",
* "db_name",
* "host",
* "port",
* "username",
* "password",
* "db_service_name",
* }
https://git.drupalcode.org/project/drupacle/-/blob/2.0.x/src/Entity/Drup...
In addition, the controller passes the sensitive info to the callback function, meaning that the username and password can be exposed in log files if an error occurs.
public function drupalConnectionCallback(DrupacleConnectionInterface $drupacle_connection) {
$connectionId = $drupacle_connection->get('id');
$db_username = $drupacle_connection->get('username');
$db_password = $drupacle_connection->get('password');
PHP 8.2 added the SensitiveParameter attribute that should be used to avoid this if you continue to pass the credentials this way.
Instead of storing user/pass in config, use:
Active
2.0
Code
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.