Closed (won't fix)
Project:
Drupal.org security advisory coverage applications
Component:
module
Priority:
Major
Category:
Task
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
11 Feb 2016 at 18:30 UTC
Updated:
19 May 2018 at 17:01 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #2
PA robot commentedThere are some errors reported by automated review tools, did you already check them? See http://pareview.sh/pareview/httpgitdrupalorgsandboxE-MAILiT2667034git
Fixed the git clone URL in the issue summary for non-maintainer users.
We are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and put yourself on the high priority list, then we will take a look at your project right away :-)
Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).
I'm a robot and this is an automated message from Project Applications Scraper.
Comment #3
dave bagler commentedLooked through the code here's my thoughts:
Please add a
README.txtorREADME.mdfile.The optional files property of the info file is for autoloading class and interface declarations. The three referenced files (
emailit.admin.inc,emailit.installandemailit.module) don't include class or interface declarations so I recommend removing thefiles[]lines from the info file.The install hook is empty so I recommend removing it.
You set a lot of variables with the administration form. Each of the set variables should be deleted in your module's uninstall hook.
Comment #4
weshare commentedThank you very much for the suggestions.
We've made all the changes.
Please review the project.
Thank you in advance.
Comment #5
arkener commentedAUTOMATED REVIEW:
Please take a look at the automated review as the bot has stated: http://pareview.sh/pareview/httpgitdrupalorgsandboxe-mailit2667034git
MANUAL REVIEW:
emailit.admin.inc
Lines 12-16
Use #attached instead of drupal_add_js and drupal_add_css
emailit.module
Line 46: Replace the magic number 1 by NODE_PUBLISHED
Line 111-208: This entire function is full of XSS exploits, you should sanitize each open variable get that is loaded from an open input field, for example: Add the following code to the TWEET VIA (your Twitter username) (emailit_TwitterID) field:
'}; alert('XSS'); var e_mailit_config = {display_counter:false,TwitterID:'testLine 243: This is also XSS issue, for example: Add the following code to the Services [ Service Codes ] emailit_default_buttons field:
Facebook,Twitter,Pinterest,LinkedIn,"><script>alert('Test');</script><span class="For more information about sanitizing, please read https://www.drupal.org/node/28984.
Please don't remove the security tag, we keep that for statistics and to show examples of security problems.
Comment #6
weshare commentedWe've made the required fixes.
Please review the project.
Thank you in advance.
Comment #7
weshare commentedPlease review the project so we can promote it to full.
Thanks in advance.
Comment #8
weshare commentedWe have fixed all errors reported by automated review tools.
Please review the project.
Comment #9
sourabhutani commentedAutomated Review
There is some coding standard errors to fix : http://pareview.sh/pareview/httpgitdrupalorgsandboxe-mailit2667034git
Individual user account
Yes
Duplication
No
Master Branch
Yes. Branch 7.x-1.x
Licensing
Yes. Follow
3rd party assets/code
Yes follow. Do not contains any 3dr party.
README.txt/README.md
Yes
Code long/complex enough for review
Yes. Well documented. Extending views sort, fields and argument.
Secure code
None security issue found. Looks good.
Coding style & Drupal API usage
After a manuel Review, everything seems to be ok. Perhaps, just some recommandations :
-Mixed case function formatting used in emailit.admin.js. Use lower case and _ [style_camel_case]
Module works fine, without errors.
Comment #10
weshare commentedAutomated Review
All coding standard erros appear in minified javascript files like jquery.min.js
Coding style & Drupal API usage
Mixed case function formatting used in emailit.admin.js is now fixed.
Please review the project so we can promote it to full.
Comment #11
klausiThe Libraries API module is a recommended method for adding 3rd party dependencies without directly including the code on Drupal.org.
Did you mean to depend on jquery_update module or why is jquery included?
Comment #12
weshare commentedDrupal 7 already includes an older version of jquery but our module needs a newer one to work properly.
In https://www.drupal.org/node/1058168 describes how we can add a newer version of jquery.
In the code we have added jQuery.noConflict() method to prevent any possible jquery conflict.
Comment #13
weshare commentedWe' ve removed jQuery 3rd party libraries.
Please review the project.
Comment #14
weshare commentedPlease review the project so we can promote it to full.
Comment #15
weshare commentedWe' ve made all the requested modifications.
Please review the project.
Comment #16
ziomizar commentedHi E-MAILiT,
In order to speed up the review process, you could be interested in read how to get the review bonus.
Please read https://www.drupal.org/node/1975228.
Be patient, someone will review your code.
Comment #17
weshare commentedManual reviews of other projects
Queued for review by site administrators. Will be published after approval.
Comment #18
weshare commentedIt is almost 5 months since we firstly requested a review!
Please review the project so we can promote it to full.
Comment #19
weshare commentedComment #20
weshare commentedComment #21
arun ak commentedIt seems like you are using minified version of js(emailit.admin.js) in your module. Please provide normal js file, it would be easy go through your script.
Comment #22
weshare commentedThanks for the comment,
emailit.admin.js is now provided in normal format.
Comment #23
3ssom commentedHello E-MAILiT,
Reviewers here have done great work ,, and you followed that so I'll complete from where they stopped!
Automated Review
you still have some errors ..
https://git.drupal.org/sandbox/E-MAILiT/2667034.git
Manual Review
but there is warning msg you should see:
Git errors:
The last commit message is just one word, you should provide a meaningful short summary what you changed. See https://www.drupal.org/node/52287
function hook_uninstall() {
Thank you
Comment #24
weshare commentedHi 3ssom,
thanks for the review.
All issues have been addressed,
Please review the project.
Comment #25
3ssom commentedHello E-MAILiT,
I can confirm all the points were covered and fixed!
FYI: you could have just use check_plain() instead of filter_xss() in your file .module line.. I don't see any allowed HTML tags needed here!
I think this is a RTBC!
Comment #26
klausiComment #27
klausiReview of the 7.x-1.x branch (commit 5e3b0b0):
This automated report was generated with PAReview.sh, your friendly project application review script. You can also use the online version to check your project. You have to get a review bonus to get a review from me.
manual review:
There is a security vulnerability in this module and as part of our git admin training I'm assigning this to visabhishek so that he can take a look. If he does not find anything within a week I'm going to post the vulnerability details.
Removing review bonus tag, you can add it again if you have done another 3 reviews of other projects.
Comment #28
visabhishek commentedComment #29
visabhishek commented@klausi : Thanks for this assignment
I have manually reviewed the code and my findings are :
use chack_plain instead of strip_tags in emailit_create_buttons()
Ex :
Use check_url() for $shared_url variable for
$output_value = "<div class=\"e-mailit_toolbox $style \" $shared_url $shared_title>" . PHP_EOL;Also use proper concatination
AND
All user facing text should pass through t() function.
See : $node->title in
function emailit_create_node_buttons($node)I am getting JS error also, Please see the attachement.
Comment #30
klausi@visabhishek: good find, but how would you exploit the code with a malicious node title?
Here is what I came up with:
a' onmouseover='alert(0)This will only show a nasty javascript popup, but you can come up with more creative ideas to do harm on a site. One more attack idea:
a' onmouseover='window.location="http://example.com". Wow, this will redirect you away from the site, perfect for phishing!When we think about XSS it is important to understand the context in which the user provided string is printed to HTML. In this case the node title is inserted into an HTML attribute. We need to be very careful about that, because strip_tags() will not help us here. We need to make sure that an attacker cannot use quotes to break out of the attribute value for example.
So the solution in this case is to use check_plain(), which will take care of the quotes for you. That way an attacker cannot break out of the context of one HTML attribute and create a completely new one.
Comment #31
visabhishek commented@klausi : Thanks a lot for the valuable suggestion. I will definelty keep in mind the points that you have mentioned during my next security review.
Comment #32
PA robot commentedClosing due to lack of activity. If you are still working on this application, you should fix all known problems and then set the status to "Needs review". (See also the project application workflow).
I'm a robot and this is an automated message from Project Applications Scraper.
Comment #33
weshare commentedAll known problems are fixed.
Please review the project.
Comment #34
sandip27 commentedHello @E-MAILiT
I just did the automated review of project. You can check the output at pareview Review.
and many more...
Please fix those issue and re-submit for review.
Thanks
Comment #35
PA robot commentedClosing due to lack of activity. If you are still working on this application, you should fix all known problems and then set the status to "Needs review". (See also the project application workflow).
I'm a robot and this is an automated message from Project Applications Scraper.
Comment #36
weshare commentedI've made as many fixes as I could about issues presented in automated review.
There are only minor formatting issues in emailit.admin.js
If there is any automated way to fix them please inform me.
I use netbeans IDE to auto-format the javascript file.
It is almost 1 year I am trying to promote this project to full.
I do not think that formatting is such a big deal to prevent this project from being promoted.
The most of the full projects published do not meet even 50% of the requirements.
Thanks in advance.
Comment #37
warped commentedThank you for your contribution!
After 2017 March 7 everyone can promote a project to a full project. A full project has a short project name and a drupal.org/project URL. It can also have releases (like alpha1 or 1.0). Edit your sandbox project, and then choose the 'Promote' tab.
https://www.drupal.org/docs/8/understanding-drupal-version-numbers/drupa...
https://www.drupal.org/docs/8/choosing-a-drupal-version/what-do-version-...
https://www.drupal.org/docs/8/understanding-drupal-version-numbers/what-...
https://www.drupal.org/docs/8/choosing-a-drupal-version/release-stable-v...
If you'd like to opt into security coverage, please ensure your module is ready for a full release, and then set this issue back to 'needs review'
Immense apologies for how long it took to get to this review completed.
Comment #38
avpadernoI am closing this application for the lack for replies. I take the OP just needed to be able to promote the project.