Upgrade Your Drupal Skills

We trained 1,000+ Drupal Developers over the last decade.

See Advanced Courses NAH, I know Enough

GSoC 2015 - Security Review D8 - Week 8: Request for review

Parent Feed: 

I'm working on porting Security Review to Drupal 8 as my Google Summer of Code project this year. 8 weeks have passed since the beginning of the coding period, and the port is ready to be reviewed. In the remaining 4 weeks I'm going to address issues found by reviewers, possibly add more functionality and solve some issues related to the old version of the module prioritizing issues that are already solved in the D8 port. 

What is Security Review?

Security Review automates checking many of the configuration errors that lead to an insecure Drupal site and looks for existing vulnerabilities and attack attempts. The primary goal of the module is to elevate your awareness of the importance of securing your Drupal site. 

How can you help?

If you would like to help, you could review the ported module and post your findings in this issue. It helps if you have used Security Review before.

The 8.x-1.x branch of the code can be downloaded from here. For installation instructions check README.txt.

Alternatively you can use simplytest.me and you won't even have to leave your browser. Start writing Security Review in the first input box, choose the 8.x-1.x branch and start the sandbox! After going through the Drupal installation enable the module on /admin/modules (Extend) and you are ready to start testing. Note: the module has a Drush function that won't be testable this way.

Developer blog for Week 8

This is mainly a developer blog post, so let's walk through what I've worked on this week.

Added status icons

I've added some icons to the first column of the table on Run & review, and that instantly made it look a lot better. Below are the results.

The icons are loaded from /core/misc/icons which has some weirdly named subdirectories inside it, but I'm sure there's an explanation for that, I haven't looked into it.

Added progress bar (Batch)

I've implemented the usage of the Batch API in hope that it would let the user know which check runs slow on their system. Sadly the progress bar doesn't provide the needed information as it can't update itself in the right times. Anyway it does let the user know that something is happening, and it might prevent a few timeouts, so implementing it was still useful.

Wrote tests

I've added a test module that defines 2 security checks. Both checks fill the findings array with some random integers and strings, the difference is that one stores it in the State system, the other does not. This way some tests got more controlled (they don't use the real security checks), and it's also a good way of providing an example implementation of a module that defines security checks.

Fixed code style issues

I've checked pareview.sh for code style issues in the project. I was stunned by the amount of errors it listed, but I've successfully addressed all of them (except false positives). This is the commit that fixed all of them.

Author: 
Original Post: 

About Drupal Sun

Drupal Sun is an Evolving Web project. It allows you to:

  • Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
  • Facet based on tags, author, or feed
  • Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
  • View the entire article text inline, or in the context of the site where it was created

See the blog post at Evolving Web

Evolving Web