public function UploadExtensions::run in Security Review 8
The actual procedure of carrying out the check.
Return value
\Drupal\security_review\CheckResult The result of running the check.
Overrides Check::run
File
- src/
Checks/ UploadExtensions.php, line 41
Class
- UploadExtensions
- Checks for unsafe extensions in the allowed extensions settings of fields.
Namespace
Drupal\security_review\ChecksCode
public function run() {
// If field is not enabled return with INFO.
if (!$this
->moduleHandler()
->moduleExists('field')) {
return $this
->createResult(CheckResult::INFO);
}
$result = CheckResult::SUCCESS;
$findings = [];
// Check field configuration entities.
foreach (FieldConfig::loadMultiple() as $entity) {
/** @var FieldConfig $entity */
$extensions = $entity
->getSetting('file_extensions');
if ($extensions != NULL) {
$extensions = explode(' ', $extensions);
$intersect = array_intersect($extensions, $this
->security()
->unsafeExtensions());
// $intersect holds the unsafe extensions this entity allows.
foreach ($intersect as $unsafe_extension) {
$findings[$entity
->id()][] = $unsafe_extension;
}
}
}
if (!empty($findings)) {
$result = CheckResult::FAIL;
}
return $this
->createResult($result, $findings);
}