Loading composer/Plugin/VendorHardening/Config.php +9 −0 Original line number Diff line number Diff line Loading @@ -126,6 +126,11 @@ public function getAllCleanupPaths() { $this->configData = array_change_key_case($package_config['drupal-core-vendor-hardening'], CASE_LOWER); } // Find the packages which should not be cleaned up. $do_not_clean = array_filter($this->configData, function ($paths) { return $paths === FALSE; }); // Ensure the values are arrays. $this->configData = array_map(function ($paths) { return (array) $paths; Loading @@ -137,6 +142,10 @@ public function getAllCleanupPaths() { $this->configData[$package] ?? [], $paths); } // Remove packages that should not be cleaned up. $this->configData = array_diff_key($this->configData, $do_not_clean); return $this->configData; } Loading composer/Plugin/VendorHardening/README.txt +11 −0 Original line number Diff line number Diff line Loading @@ -80,3 +80,14 @@ paths specified for this package might look like this: This would then cause the plugin to try and remove web/modules/contrib/module_name/tests and web/modules/contrib/module_name/src/Tests. The plugin can be configured to NOT clean certain packages. This is not recommended, but it may be useful for advanced use cases, such as allowing Drupal to use a copy of Composer installed locally in the project. For example, to prevent the plugin from cleaning `composer/composer`: "extra": { "drupal-core-vendor-hardening": { "composer/composer": false } } core/lib/Drupal/Core/Validation/ConstraintManager.php +6 −0 Original line number Diff line number Diff line Loading @@ -12,6 +12,7 @@ use Symfony\Component\Validator\Constraints\Blank; use Symfony\Component\Validator\Constraints\Callback; use Symfony\Component\Validator\Constraints\Choice; use Symfony\Component\Validator\Constraints\File; use Symfony\Component\Validator\Constraints\IdenticalTo; use Symfony\Component\Validator\Constraints\Image; use Symfony\Component\Validator\Constraints\NotBlank; Loading Loading @@ -118,6 +119,11 @@ public function registerDefinitions() { 'class' => Choice::class, 'type' => FALSE, ]); $this->getDiscovery()->setDefinition('File', [ 'label' => new TranslatableMarkup('File'), 'class' => File::class, 'type' => ['string'], ]); $this->getDiscovery()->setDefinition('Image', [ 'label' => new TranslatableMarkup('Image'), 'class' => Image::class, Loading core/modules/package_manager/config/schema/package_manager.schema.yml +3 −1 Original line number Diff line number Diff line Loading @@ -19,7 +19,9 @@ package_manager.settings: label: 'Absolute path to Composer executable, or NULL to auto-detect' nullable: true constraints: IsExecutable: [] # The file has to exist but need not be directly executable, because it is # always passed to the PHP interpreter. File: [] rsync: type: string label: 'Absolute path to rsync executable, or NULL to auto-detect' Loading core/modules/package_manager/tests/src/Functional/SettingsFormTest.php +3 −1 Original line number Diff line number Diff line Loading @@ -68,8 +68,10 @@ public function testSettingsForm(): void { 'composer' => 'rm -rf /', 'rsync' => 'cat /etc/passwd', ], 'Save configuration'); $assert_session->statusMessageContains('"rm -rf /" is not an executable file.', 'error'); $assert_session->statusMessageContains('The file could not be found.', 'error'); $assert_session->statusMessageContains('"cat /etc/passwd" is not an executable file.', 'error'); $this->assertTrue($assert_session->fieldExists('composer')->hasClass('error')); $this->assertTrue($assert_session->fieldExists('rsync')->hasClass('error')); } } Loading
composer/Plugin/VendorHardening/Config.php +9 −0 Original line number Diff line number Diff line Loading @@ -126,6 +126,11 @@ public function getAllCleanupPaths() { $this->configData = array_change_key_case($package_config['drupal-core-vendor-hardening'], CASE_LOWER); } // Find the packages which should not be cleaned up. $do_not_clean = array_filter($this->configData, function ($paths) { return $paths === FALSE; }); // Ensure the values are arrays. $this->configData = array_map(function ($paths) { return (array) $paths; Loading @@ -137,6 +142,10 @@ public function getAllCleanupPaths() { $this->configData[$package] ?? [], $paths); } // Remove packages that should not be cleaned up. $this->configData = array_diff_key($this->configData, $do_not_clean); return $this->configData; } Loading
composer/Plugin/VendorHardening/README.txt +11 −0 Original line number Diff line number Diff line Loading @@ -80,3 +80,14 @@ paths specified for this package might look like this: This would then cause the plugin to try and remove web/modules/contrib/module_name/tests and web/modules/contrib/module_name/src/Tests. The plugin can be configured to NOT clean certain packages. This is not recommended, but it may be useful for advanced use cases, such as allowing Drupal to use a copy of Composer installed locally in the project. For example, to prevent the plugin from cleaning `composer/composer`: "extra": { "drupal-core-vendor-hardening": { "composer/composer": false } }
core/lib/Drupal/Core/Validation/ConstraintManager.php +6 −0 Original line number Diff line number Diff line Loading @@ -12,6 +12,7 @@ use Symfony\Component\Validator\Constraints\Blank; use Symfony\Component\Validator\Constraints\Callback; use Symfony\Component\Validator\Constraints\Choice; use Symfony\Component\Validator\Constraints\File; use Symfony\Component\Validator\Constraints\IdenticalTo; use Symfony\Component\Validator\Constraints\Image; use Symfony\Component\Validator\Constraints\NotBlank; Loading Loading @@ -118,6 +119,11 @@ public function registerDefinitions() { 'class' => Choice::class, 'type' => FALSE, ]); $this->getDiscovery()->setDefinition('File', [ 'label' => new TranslatableMarkup('File'), 'class' => File::class, 'type' => ['string'], ]); $this->getDiscovery()->setDefinition('Image', [ 'label' => new TranslatableMarkup('Image'), 'class' => Image::class, Loading
core/modules/package_manager/config/schema/package_manager.schema.yml +3 −1 Original line number Diff line number Diff line Loading @@ -19,7 +19,9 @@ package_manager.settings: label: 'Absolute path to Composer executable, or NULL to auto-detect' nullable: true constraints: IsExecutable: [] # The file has to exist but need not be directly executable, because it is # always passed to the PHP interpreter. File: [] rsync: type: string label: 'Absolute path to rsync executable, or NULL to auto-detect' Loading
core/modules/package_manager/tests/src/Functional/SettingsFormTest.php +3 −1 Original line number Diff line number Diff line Loading @@ -68,8 +68,10 @@ public function testSettingsForm(): void { 'composer' => 'rm -rf /', 'rsync' => 'cat /etc/passwd', ], 'Save configuration'); $assert_session->statusMessageContains('"rm -rf /" is not an executable file.', 'error'); $assert_session->statusMessageContains('The file could not be found.', 'error'); $assert_session->statusMessageContains('"cat /etc/passwd" is not an executable file.', 'error'); $this->assertTrue($assert_session->fieldExists('composer')->hasClass('error')); $this->assertTrue($assert_session->fieldExists('rsync')->hasClass('error')); } }
