Contrib.social

Validate destination is a valid path

Open on Drupal.org →
Created on 17 April 2025, 9 days ago

Problem/Motivation

After the user login takes place, the user will be redirected to the destination_path.

However, there is no validation that this path exists, so it is possible to enter a non-existent path, which will cause an InvalidArgumentException exception.

Steps to reproduce

Edit a redirect form and enter a path that doesn't exist in destination path. Visit the validation form and send an email. Click the link in the email, observe the InvalidArgumentException error.

Proposed resolution

Use the path.validator service to check the destination before saving.

Remaining tasks

  1. In src/Form/VerifyEmailAddEditForm.php, add a constructor, and use property promotion to add a property of type \Drupal\Core\Path\PathValidatorInterface
  2. Add a static create function to instantiate the class with the path.validator service
  3. Add a validateForm function, which checks destination_path with $this->pathValidator->isValid()

User interface changes

None except the admin form will warn about invalid destination path.

API changes

None.

Data model changes

None.

📌 Task
Status

Active

Version

1.0

Component

Code

Created by

🇮🇪Ireland lostcarpark

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @lostcarpark
  • Comment 9 days ago →
    🇮🇳India ankit_k
  • Merge request !15Update file VerifyEmailAddEditForm.php → (Merged) created by Unnamed author
  • Pipeline finished with Failed
    8 days ago
    Total: 316s
    #476436
  • Comment 8 days ago →
    🇮🇳India ankit_k
  • Comment 8 days ago →
    🇮🇳India nidhi27

    Assigning my self for review.
    Thanks!

  • Comment 8 days ago →
    🇮🇳India nidhi27

    Hi,

    I have tested the functionality and its working as expected. But test cases are failing because somewhere path is added. We can change it to any valid internal url. (E.g. )

    Moving it to needs work.

  • Pipeline finished with Failed
    8 days ago
    Total: 267s
    #476721
  • Pipeline finished with Failed
    8 days ago
    Total: 262s
    #476729
  • Comment 8 days ago →
    🇮🇳India ankit_k

    Working on this

  • Pipeline finished with Success
    8 days ago
    Total: 173s
    #476763
  • Comment 8 days ago →
    🇮🇳India ankit_k

    Pipeline passed sucessfully

  • Comment 8 days ago →
    🇮🇪Ireland lostcarpark

    Apologies, but I should have thought of this in the original issue description.

    I think test coverage is needed to ensure the validation is working.

    In the VerifyEmailSetupTest::testVerifyEmailConfig, the test assumes that the save of the verify email form was successful. However, this is no longer a valid assumption since it could fail validation.

    • After the first submit on line 65, we should use addressEquals to verify the form saved and returned to the /admin/people/verify-email page.
    • We should also statusMessageContains to check the status message is correct.
    • We can remove the drupalGet on line 66 since the page should have redirected there anyway.

    We should also add a new test function in this class to test that an invalid destination path won't save.

    • This should attempt to save a new verify email form, but specifically put a path that doesn't exist in the destination path
    • It should assert with addressEquals remains on the add page.
    • It should assert with statusMessageContains that the correct error message is generated.

    Thank you for your work on this.

  • Comment 2 days ago →
    🇮🇳India nidhi27
  • Comment 1 day ago →
    🇮🇳India nidhi27

    Hii,

    Changes are done. Let me know if any changes are needed.

    Thanks!

  • Comment about 13 hours ago →
    🇮🇪Ireland lostcarpark

    I have reviewed the test changes, and I'm happy they properly test the redirect path validation.

    I have run the tests locally, and carried out a manual test.

    This change is now ready to merge.

  • Comment about 12 hours ago →
    🇮🇪Ireland lostcarpark

    Change now merged. Thank you all for working on this.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024