Contrib.social

Media Library Widget skips constraint validations

Open on Drupal.org β†’
Created on 6 August 2024, 9 months ago

This was initially an issue at security.drupal.org, but was decided to resolve it publicly.

Problem/Motivation

If a contrib/custom module adds a constraint to an entity reference field, and the media library widget is used, the constraints are never validated. Depending on the constraint that might lead to information disclosure.

Steps to reproduce

1. Install core standard.
2. Enable media library.
3. Enable the contrib entity_reference_validator.
4. Add a multivalued entity reference to media in Article.
5. Edit the Article edit form to use the media library widget for that field, and enable "avoid duplicates" (via the entity_reference_validator)
6. Create a new Article and reference a media twice.
7. Verify that the constraint was never triggered and it will allow you to save it.

Proposed resolution

The problem comes because WidgetBase::flagErrors does:

            $error_element = $this->errorElement($delta_element, $violation, $form, $form_state);
            if ($error_element !== FALSE) {
              $form_state->setError($error_element, $violation->getMessage());
            }

MediaLibraryWidget::errorElement has return $element['target_id'] ?? FALSE;

But somehow it's reaching with the parent form element when I debug this.

A incomplete-but-working-fix is

  public function errorElement(array $element, ConstraintViolationInterface $error, array $form, FormStateInterface $form_state) {
    if (isset($element['selection'])) {
      return $element['selection'];
    }

    return $element['target_id'] ?? FALSE;
  }

Remaining tasks

TBD

User interface changes

TBD

Introduced terminology

TBD

API changes

TBD

Data model changes

TBD

Release notes snippet

TBD

πŸ› Bug report
Status

Active

Version

10.4 ✨

Component
MediaΒ  β†’

Last updated about 3 hours ago

Created by

πŸ‡ͺπŸ‡ΈSpain penyaskito Seville πŸ’ƒ, Spain πŸ‡ͺπŸ‡Έ, UTC+2 πŸ‡ͺπŸ‡Ί

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @penyaskito
  • Comment 8 months ago β†’
    πŸ‡¨πŸ‡·Costa Rica yuvania

    Maybe you could try breaking down the target_id further in the errorElement function to see if something is being missed in the validation. I'm referring to checking or adjusting the structure of $element before it reaches the check, in case there's any data not being handled correctly

  • Comment 5 months ago β†’
    πŸ‡³πŸ‡ΏNew Zealand quietone

    Changes are made on on 11.x (our main development branch) first, and are then back ported as needed according to our policies.

  • Comment 7 days ago β†’
    πŸ‡ΊπŸ‡¦Ukraine HitchShock Ukraine

    +1 Caught the same issue
    The problem is that I can't find any default features that will allow us to reproduce it with a simple core settings.
    But if we will add a custom constraint to the field with Media library, then it won't be working, because of the reason mentioned in the description.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024