You are here

public function SecKitSettingsForm::validateForm in Security Kit 8

Same name and namespace in other branches
  1. 2.x src/Form/SecKitSettingsForm.php \Drupal\seckit\Form\SecKitSettingsForm::validateForm()

Form validation handler.

Parameters

array $form: An associative array containing the structure of the form.

\Drupal\Core\Form\FormStateInterface $form_state: The current state of the form.

Overrides FormBase::validateForm

File

src/Form/SecKitSettingsForm.php, line 734

Class

SecKitSettingsForm
Implements a form to collect security check configuration.

Namespace

Drupal\seckit\Form

Code

public function validateForm(array &$form, FormStateInterface $form_state) {

  // If From-Origin is enabled, it should be explicitly set.
  $from_origin_enable = $form_state
    ->getValue([
    'seckit_various',
    'from_origin',
  ]);
  $from_origin_destination = $form_state
    ->getValue([
    'seckit_various',
    'from_origin_destination',
  ]);
  if ($from_origin_enable && !$from_origin_destination) {
    $form_state
      ->setErrorByName('seckit_various][from_origin_destination', $this
      ->t('You have to set up trustworthy destination for From-Origin HTTP response header. Default is same.'));
  }

  // If X-Frame-Options is set to ALLOW-FROM, it should be explicitly set.
  $x_frame_value = $form_state
    ->getValue([
    'seckit_clickjacking',
    'x_frame',
  ]);
  if ($x_frame_value == SeckitInterface::X_FRAME_ALLOW_FROM) {
    $x_frame_allow_from = $form_state
      ->getValue([
      'seckit_clickjacking',
      'x_frame_allow_from',
    ]);
    if (!$this
      ->seckitExplodeValue($x_frame_allow_from)) {
      $form_state
        ->setErrorByName('seckit_clickjacking][x_frame_allow_from', $this
        ->t('You must specify a trusted Origin for the ALLOW-FROM value of the X-Frame-Options HTTP response header.'));
    }
  }

  // If HTTP Strict Transport Security is enabled, max-age must be specified.
  // HSTS max-age should only contain digits.
  $hsts = $form_state
    ->getValue([
    'seckit_ssl',
    'hsts',
  ]);
  $hsts_max_age = $form_state
    ->getValue([
    'seckit_ssl',
    'hsts_max_age',
  ]);
  if ($hsts && !$hsts_max_age) {
    $form_state
      ->setErrorByName('seckit_ssl][hsts_max_age', $this
      ->t('You have to set up Max-Age value for HTTP Strict Transport Security. Default is 1000.'));
  }
  if (preg_match('/[^0-9]/', $hsts_max_age)) {
    $form_state
      ->setErrorByName('seckit_ssl][hsts_max_age', $this
      ->t('Only digits are allowed in HTTP Strict Transport Security Max-Age field.'));
  }

  // If JS + CSS + Noscript Clickjacking protection is enabled,
  // custom text for disabled JS must be specified.
  $js_css_noscript_enable = $form_state
    ->getValue([
    'seckit_clickjacking',
    'js_css_noscript',
  ]);
  $noscript_message = $form_state
    ->getValue([
    'seckit_clickjacking',
    'noscript_message',
  ]);
  if ($js_css_noscript_enable && !$noscript_message) {
    $form_state
      ->setErrorByName('seckit_clickjacking][noscript_message', $this
      ->t('You have to set up Custom text for disabled JavaScript message when JS + CSS + Noscript protection is enabled.'));
  }

  // Check the value of CSP report-uri seems valid.
  $report_uri = $form_state
    ->getValue([
    'seckit_xss',
    'csp',
    'report-uri',
  ]);
  if (UrlHelper::isExternal($report_uri)) {

    // UrlHelper::isValid will reject URIs beginning with '//' (i.e. without a
    // scheme). So add a fake scheme just for validation.
    if (strpos($report_uri, '//') === 0) {
      $report_uri = 'https:' . $report_uri;
    }
    if (!UrlHelper::isValid($report_uri)) {
      $form_state
        ->setErrorByName('seckit_xss][csp][report-uri', $this
        ->t('The CSP report-uri seems absolute but does not seem to be a valid URI.'));
    }
  }
  else {

    // Check that the internal path seems valid.
    if (!(bool) $this->pathValidator
      ->getUrlIfValidWithoutAccessCheck($report_uri)) {
      $form_state
        ->setErrorByName('seckit_xss][csp][report-uri', $this
        ->t('The CSP report-uri seems relative but does not seem to be a valid path.'));
    }
  }
}