- Issue created by @omarlopesino
- Merge request !4Issue #3472533: Allow adding query tags to entity_query Data Producer → (Open) created by omarlopesino
- Status changed to Needs review
7 months ago 9:41am 6 September 2024 - 🇪🇸Spain omarlopesino
I've created a MR that adds the query_tag property to "consumes" and adds it to the query.
Please review and let me know your feedback, many thanks!
- 🇦🇹Austria klausi 🇦🇹 Vienna
Thanks, this is a bit dangerous as then the query tag could be supplied from user input if the developer sets it up wrong. We just fixed a similar minor security weakness in 🐛 Wrong usage of EntityQuery data producer can lead to SQL access bypass Active with the entity_query producer.
Could we lock this down somehow so that developers cannot expose this by accident?
- 🇪🇸Spain omarlopesino
I think this problem can be fixed by applying a solution similar than restricting filters into the entity query producer: https://git.drupalcode.org/project/graphql/-/blob/8.x-4.x/src/Plugin/Gra... .
The solution would be:
- Adding an allowed_query_tags property into the entity query producer.
- When the query is being done, throw an exception when a query tag not defined into allowed_query_tags is detected.Working on it ASAP.
- 🇪🇸Spain omarlopesino
I've just added a commit that ensures there is a field that sets which are the allowed query tags, so if a query tag is passed dinamically, it does not add unwanted query tags.
Please review, if it looks good I can add tests.
- 🇦🇹Austria klausi 🇦🇹 Vienna
Thanks, approach looks good!
I'm thinking about if the API addition could break existing installations - I think it will break all old sites that have dataproducer_populate_default_values set to FALSE. We could allow the parameters to be nullable with the "?" operator, which is ugly but should work?
I think you can go ahead and add tests now!