Harden disabled plugin processing

56a60ff6 · Conrad Lara · f0da3722 · 56a60ff6 · 56a60ff6
Commit 56a60ff6 authored Aug 28, 2023 by Conrad Lara
--- a/services_tfa/src/Plugin/ServiceDefinition/GenericValidation.php
+++ b/services_tfa/src/Plugin/ServiceDefinition/GenericValidation.php
@@ -58,6 +58,13 @@ class GenericValidation extends ServiceDefinitionBase implements ContainerFactor
   */
  protected $lock;

+  /**
+   * The config factory.
+   *
+   * @var \Drupal\Core\Config\ConfigFactoryInterface
+   */
+  protected $configFactory;
+
  /**
   * TFA Web Services constructor.
   *
@@ -73,8 +80,10 @@ class GenericValidation extends ServiceDefinitionBase implements ContainerFactor
   *   Validation plugin manager.
   * @param \Drupal\Core\Lock\LockBackendInterface|null $lock
   *   The lock service.
+   * @param \Drupal\Core\Config\ConfigFactoryInterface|null $config_factory
+   *   Config factory.
   */
-  public function __construct(array $configuration, $plugin_id, $plugin_definition, UserDataInterface $user_data, TfaValidationPluginManager $tfa_validation_manager, $lock = NULL) {
+  public function __construct(array $configuration, $plugin_id, $plugin_definition, UserDataInterface $user_data, TfaValidationPluginManager $tfa_validation_manager, $lock = NULL, $config_factory = NULL) {
    parent::__construct($configuration, $plugin_id, $plugin_definition);
    $this->userData = $user_data;
    $this->tfaValidationManager = $tfa_validation_manager;
@@ -83,6 +92,10 @@ class GenericValidation extends ServiceDefinitionBase implements ContainerFactor
      $lock = \Drupal::service('lock');
    }
    $this->lock = $lock;
+    if (!$config_factory) {
+      $config_factory = \Drupal::service('config.factory');
+    }
+    $this->configFactory = $config_factory;
  }

  /**
@@ -95,7 +108,8 @@ class GenericValidation extends ServiceDefinitionBase implements ContainerFactor
      $plugin_definition,
      $container->get('user.data'),
      $container->get('plugin.manager.tfa.validation'),
-      $container->get('lock')
+      $container->get('lock'),
+      $container->get('config.factory')
    );
  }

@@ -118,6 +132,11 @@ class GenericValidation extends ServiceDefinitionBase implements ContainerFactor
    $plugin_id = $request->get('plugin_id');

    if ($uid && $code && $plugin_id) {
+      $allowed_validation_plugins = $this->configFactory->get('tfa.settings')->get('allowed_validation_plugins');
+      if (!array_key_exists($plugin_id, $allowed_validation_plugins)) {
+        throw new AccessDeniedHttpException('Invalid plugin_id.');
+      }
+
      $this->validationPlugin = $this->tfaValidationManager->createInstance($plugin_id, ['uid' => $uid]);
      $validation_lock_id = 'tfa_validate_' . $uid;
      while (!$this->lock->acquire($validation_lock_id)) {

--- a/src/Form/EntryForm.php
+++ b/src/Form/EntryForm.php
@@ -228,7 +228,12 @@ class EntryForm extends FormBase {

    // Build a list of links for using other enabled validation methods.
    $other_validation_plugin_links = [];
+    $allowed_validation_plugins = $this->tfaSettings->get('allowed_validation_plugins');
    foreach ($user_enabled_validation_plugins as $user_enabled_validation_plugin) {
+      // Only show allowed plugins.
+      if (!array_key_exists($user_enabled_validation_plugin, $allowed_validation_plugins)) {
+        continue;
+      }
      // Do not show the current plugin.
      if ($validation_plugin == $user_enabled_validation_plugin) {
        continue;