Problem/Motivation

Did you know that in any uuid field, you can put something which isn't a UUID? It's true! There's no validation that UUID fields actually contain UUIDs.

Although this is sometimes useful for testing, it's...bizarre. And it kinda breaks the whole point of having a UUID in the first place; if it can be anything, then where's the guarantee (or, as the case may be, extremely strong likelihood) that it's unique?

Proposed resolution

Add the Uuid constraint to UuidItem's value property.

Issue fork drupal-3559874

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

phenaproxima created an issue. See original summary.

wim leers’s picture

Note that in config schema, it does:

# A UUID.
uuid:
  type: string
  label: 'UUID'
  constraints:
    Uuid: {}

👆 That was coincidentally also the only config schema type using validation. but nothing was calling it ($config_entity->getTypedData()->validate() , so that mattered … not at all)

Ironic that it's still an issue outside of config!

wim leers’s picture

phenaproxima’s picture

Issue summary: View changes
phenaproxima’s picture

Status: Active » Needs review

Nice and clean. Let's get it in!

phenaproxima’s picture

Issue tags: +Ported from Drupal Canvas

Tagging this as something that was ported from Drupal Canvas to fix a core bug, which is unfortunately a very common thing in Canvas. This will help later identify bugs that were fixed in core that would allow Canvas to remove its overrides and shims.

lendude’s picture

Status: Needs review » Reviewed & tested by the community
Issue tags: +Needs change record

Change looks good and makes sense.

As discussed on slack with phenaproxima, any current entities that abuse this non-validating behavior (first thing I could think of was somebody mis-using it to store an external ID when importing content from outside Drupal) will now be broken and, depending on submit flow, might be unable to be updated. So maybe not something we want to do in a patch release and should probably have a change record.

phenaproxima’s picture

longwave’s picture

I assume the 128 comes from

class UuidItem extends StringItem {

  /**
   * {@inheritdoc}
   */
  public static function defaultStorageSettings() {
    return [
      'max_length' => 128,

While that seems like it would be hard to change now, is it worth adding a more correct Length constraint while we are here?

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.

catch’s picture

Status: Reviewed & tested by the community » Needs review

Moving back to needs review for #10.

angel_devoeted’s picture

Thanks for pointing this out.

The max_length = 128 on UuidItem is a historical storage setting rather than an intended UUID length. With the Uuid constraint in place, format (and effective length) is already validated.

Would adjusting the length or storage behavior be considered a broader, potentially BC-impacting change?

dcam’s picture

Status: Needs review » Reviewed & tested by the community

Would adjusting the length or storage behavior be considered a broader, potentially BC-impacting change?

I think so. We'd have to deal with potential issues of data loss. It seems like this would seriously complicate what's currently a fairly simple issue that's impacting a high-profile Drupal CMS module. Maybe we should commit this as-is. Just my $0.02.

idebr’s picture

General question:
I see some FieldType constraints added in the definition, for example "timestamp": https://git.drupalcode.org/project/drupal/-/blob/main/core/lib/Drupal/Co...
and others in getConstraints(), for example "email": https://git.drupalcode.org/project/drupal/-/blob/main/core/lib/Drupal/Co...

and then there is this implementation for Uuid in propertyDefinitions

Is there any preference of implementing one over the other? I would expect this simple constraint to be added in the #[FieldType] definition itself

longwave’s picture

Status: Reviewed & tested by the community » Needs work

Let's add it in the FieldType definition, seems cleanest that way. The Email one is done so we can add the label to the error message.

idebr’s picture

Status: Needs work » Needs review

The Uuid constraint is now applied in the FieldType definition

needs-review-queue-bot’s picture

Status: Needs review » Needs work
StatusFileSize
new667 bytes

The Needs Review Queue Bot tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

idebr’s picture

Status: Needs work » Needs review

Running PHPStan on changed files.

PHPStan: failed

----------------------------------------------------------------------------------------------------

PHPCS: failed

----------------------------------------------------------------------------------------------------

Not sure how these checks are generated, but the MR pipeline does not report any failed checks

dcam’s picture

Status: Needs review » Reviewed & tested by the community

The constraint has been added to the field type definition as requested. The change looks good to me.

  • godotislate committed 54879508 on main
    fix: #3559874 The UUID data type should validate that its value is an...

  • godotislate committed 21d984cc on 11.x
    fix: #3559874 The UUID data type should validate that its value is an...
godotislate’s picture

Version: main » 11.x-dev
Status: Reviewed & tested by the community » Fixed

Committed and pushed 5487950 to main. and 21d984c to 11.x. Thanks!

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

quietone’s picture

Correct the branch in the change record.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

quietone’s picture

Issue tags: -Ported from Drupal Canvas

The tag is only used once so removing per Issue tags field and Issue tags -- special tags and for issue #3565085: Drupal core issue tag cleanup.