Contrib.social

Dealing with sniffs that are applied to contrib but not core

Open on Drupal.org β†’
Created on 26 January 2025, 2 months ago

DrupalPractice.Sniffs.FunctionCalls.InsecureUnserializeSniff was added to Coder in #3255726: Disallow unsafe use of unserialize β†’

This sniff is being applied to contributed modules when phpcs is run, but as far as I can tell it's not being used in core. I don't know if this is intentional or not.

There are about 150 uses of unserialize() in core that should report errors from this sniff, but because there is no mention in the core issue queue of this. I'm assuming this sniff isn't being used by core. And I don't see that this sniff is being explicitly excluded from core either.

The problem I have is that contrib copies code from core, and all these flagged usages that I've found in contrib seem to be in code that is copied from core. See for example πŸ“Œ unserialize() is insecure unless allowed classes are limited. Use a safe format like JSON or use the allowed_classes option Postponed: needs info where I discuss this in more detail.

So the problem is the differing standards between what is allowed in core and what is allowed in contrib. If this sniff implements a Drupal coding standard, and if this sniff is a good thing to do (I think it is), then it should be applied to core as well. Otherwise, running this only on contrib is just generating work for contrib maintainers because the security implications of using unserialize() in core like this can't be eliminated by using it correctly in contrib.

My expectation, which may be wrong, is that the same sniffs are run on core and contrib, and that if core doesn't pass those sniffs they will be excluded explicitly with an issue opened in core to fix core so that it will pass those sniffs. But I don't see any evidence that core even knows this sniff exists.

I am perfectly willing to write a patch for core so that this sniff passes, but I simply don't know how core and contrib use a different set of sniffs and whether this is something core will even consider since the phpcs tests currently pass in core.

Can someone point me to documentation or explain to me how this situation happens and how to correct it in core?

πŸ’¬ Support request
Status

Active

Version

8.3

Component

Coder Sniffer

Created by

πŸ‡ΊπŸ‡ΈUnited States tr Cascadia

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @tr
  • Comment about 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    This sniff is being applied to contributed modules when phpcs is run, but as far as I can tell it's not being used in core. I don't know if this is intentional or not.

    I'll note that DrupalPractice sniffs are 'common practices' however to my knowledge the majority of them are not actually codified by the Drupal Coding Standard. There are some good sniffs in there however they may not fit for every situation.

    The default for gitlab_templates only uses the Drupal profile not the DrupalPractice profile.

    If a maintainer goes through the Project Applications queue to receive the 'git vetted' role (permission to opt projects into security coverage) role the DrupalPractice ruleset is often applied and some 'contributors' believe the DrupalPractice is a required standard.

    So the problem is the differing standards between what is allowed in core and what is allowed in contrib.

    To my knowledge Core has never fully complied with the Drupal Coding Standards. They use it as a guideline for new code however it is not fully enforced by testing as their code is not up to full coding standards and some standards are deemed 'too disruptive' to implement.

    I don't see that this sniff is being explicitly excluded from core either.

    Core selectively enables sniffs, they do not use the Drupal or DrupalPractice per-configured profiles that contrib often uses.

    The current sniffs used by core are located in:
    https://git.drupalcode.org/project/drupal/-/blob/11.x/core/phpcs.xml.dis...

    Can someone point me to documentation or explain to me how this situation happens and how to correct it in core?

    https://www.drupal.org/docs/develop/issues/issue-procedures-and-etiquett... β†’ contains the procedure for proposing a new coding standard be used in core.

    https://www.drupal.org/project/coding_standards β†’ discusses in step 9 of the templates procedure discusses that after the coding standards committee adopts a new standard an issue be created in core to add the rule to phpcs.xml.dist and to cleanup any code that may not comply. Obviously code that is not in the formal coding standards would never trigger this step (also 2022 was back when the Coding Standards committee was defunct).

  • Comment about 1 month ago β†’
    πŸ‡³πŸ‡ΏNew Zealand quietone

    It is true that Drupal core is not fully compliant with the Drupal Coding standards, and that the set of sniff automatically enforced by core is different than contrib.

    Core continues to work to enforce all the Drupal Standards but not Drupal Practice. That work has been happening for many years and continues. It is done incrementally, that is, as core becomes compliant with a standard, the relevant sniff is enabled. For example, since Jan 1, 2025 there have been 35 changes core/phpcs.xml.dist, adding enforcement of a standard on all, or part, of the code base.

    To find out more about how coding standards work happens, there is the Coding Standard project β†’ and there is a #coding-standards in Drupal Slack.

    The related issue in core is πŸ“Œ [Meta] Fix coding standards in core Active .

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024