Issue #3314944 by rymcveigh, greggles, lkacenja: Opt into security advisory coverage

README.md

+# RESTful Logger
+
+This module provides a REST endpoint for logging messages to Drupal's core
+logger using JSON with a `message` value, `path`, `severity` and `channel` 
+value as documented on the 
+[Drupal Logging API documentation](https://www.drupal.org/docs/8/api/logging-api/overview).
+
+## Table of contents
+
+- Requirements
+- Recommended modules
+- Installation
+- Configuration
+- Example JSON POST Body
+- Troubleshooting
+- Maintainers
+
+## Requirements
+
+This module requires the following core modules:
+
+- [dblog](https://www.drupal.org/docs/8/core/modules/dblog)
+- [rest](https://www.drupal.org/docs/8/core/modules/rest/)
+
+## Recommended modules
+
+[REST UI module](https://www.drupal.org/project/restui): When enabled,
+it displays active REST endpoints at Configuration > Services > REST.
+
+## Installation
+
+Install as you would normally install a contributed Drupal module. For further
+information, see
+[Installing Drupal Modules](https://www.drupal.org/docs/extending-drupal/installing-drupal-modules).
+
+## Configuration
+
+1. Enable the module at Administration > Extend.
+2. Grant the desired permissions needed to the `POST log messages`
+permission and the `Access POST on Watchdog database logger resource` permission
+via the People > Permissions page.
+
+## Example JSON POST Body
+
+### Required Values:
+- `message`
+- `path`
+
+### Default Values:
+- The default value for `channel` is `restfulloger`.
+- The default value for `severity` is `Notice`.
+
+```json
+{
+  "message": "The message you want to log.",
+  "severity": "Error",
+  "channel": "module_machine_name",
+  "path": "/path/to/page"
+}
+```
+
+## Troubleshooting
+
+If the logger does not get recorded when POSTing to `/dblog/logger`
+
+- Ensure the `POST log messages` and `Access POST on Watchdog database logger 
+resource` permissions are set to the correct roles on the People > Permissions 
+page.
+- Ensure the REST endpoint is enabled. (This is easier to check using the 
+[REST UI module](https://www.drupal.org/project/restui).)
+- Ensure your JSON body is formatted correctly and the `message` and `path`
+values are defined.
+
+## Maintainers
+
+- Ryan McVeigh - [rymcveigh](https://www.drupal.org/u/rymcveigh)

README.txt

-RESTful Logger
-=======
-
-This module provides a REST resource for logging messages..
-
-Installation
-============
-
-Once the module has been installed, you will be able to POST messages to `/dblog/logger` using JSON with a `message` value, `severity` value, and `channel` value as documented on the Drupal Logging API documentation (https://www.drupal.org/docs/8/api/logging-api/overview).

src/Plugin/rest/resource/RestfulLogger.php

@@ -87,18 +87,20 @@ class RestfulLogger extends ResourceBase {
     $channel = empty($data['channel']) ? 'restfullogger' : $data['channel'];
     $severity = $this->validateAndParseSeverity($data);
     $path = $this->validateAndParsePath($data);
-    $message = $this->t('@message, path:  @path', [
+
+    // Log the message using the logger context.
+    $this->logger->log($severity, '@message, path:  @path', [
       '@message' => $message,
       '@path' => $path,
     ]);
 
-    // Log the message.
-    $this->logger->log($severity, $message);
-
     // Build our response.
     $response = [
       'message' => 'successfully logged',
-      'dblog_message' => $message,
+      'dblog_message' => $this->t('@message, path:  @path', [
+        '@message' => $message,
+        '@path' => $path,
+      ]),
       'dblog_channel' => $channel,
       'dblog_severity' => $severity,
     ];
@@ -123,7 +125,7 @@ class RestfulLogger extends ResourceBase {
     if (empty($request['message'])) {
       throw new BadRequestHttpException('The message value is missing');
     }
-    return $request['message'];
+    return Html::escape($request['message']);
   }
 
   /**
@@ -137,7 +139,7 @@ class RestfulLogger extends ResourceBase {
    */
   private function validateAndParseSeverity(array $request): string {
     $levels = RfcLogLevel::getLevels();
-    $severity = empty($request['severity']) ? LogLevel::NOTICE : Html::escape(strtolower($request['severity']));
+    $severity = empty($request['severity']) ? LogLevel::NOTICE : strtolower($request['severity']);
     // Default 'Notice' if the level provided is not available.
     return in_array(ucfirst($severity), $levels) ? $severity : LogLevel::NOTICE;
   }
@@ -159,7 +161,7 @@ class RestfulLogger extends ResourceBase {
     if (empty($request['path'])) {
       throw new BadRequestHttpException('The path value is missing');
     }
-    return $request['path'];
+    return Html::escape($request['path']);
   }
 
 }

tests/src/Functional/LoadTest.php

@@ -14,20 +14,14 @@ use Drupal\Tests\BrowserTestBase;
 class LoadTest extends BrowserTestBase {
 
   /**
-   * Modules installed for all tests.
-   *
-   * @var array
+   * {@inheritdoc}
    */
-  protected static $modules = [
-    'hal',
-    'dblog',
-    'restfullogger',
-  ];
+  protected $defaultTheme = 'stark';
 
   /**
    * {@inheritdoc}
    */
-  protected $defaultTheme = 'stark';
+  protected static $modules = ['restfullogger'];
 
   /**
    * Posts a log message and retrieves it via the REST API.
@@ -43,7 +37,11 @@ class LoadTest extends BrowserTestBase {
       ->setOption('query', ['_format' => 'json'])
       ->setAbsolute()
       ->toString();
-    $token = $this->drupalGet("/session/token", ['query' => ['_format' => 'hal_json']]);
+    $token = $this->drupalGet("/session/token", [
+      'query' => [
+        '_format' => 'hal_json',
+      ],
+    ]);
     $body = $this->container->get('serializer')->serialize([
       'message' => 'Test message',
       'path' => '/',