drupal-composer / drupal-paranoia
Composer Plugin for improving the security of composer-based Drupal projects by moving all PHP files out of docroot.
Installs: 1 796 914
Dependents: 3
Suggesters: 0
Security: 0
Stars: 62
Watchers: 12
Forks: 7
Open Issues: 4
Type:composer-plugin
Requires
- php: >=5.4.5
- composer-plugin-api: ^1.1 || ^2
Requires (Dev)
- composer/composer: dev-master
This package is auto-updated.
Last update: 2024-10-29 04:42:12 UTC
README
Drupal Paranoia
Composer plugin for improving the website security for composer-based Drupal websites by moving all PHP files out of docroot.
Why use this Plugin?
The critical security issue with Coder is a good example to consider moving PHP files outside of docroot:
- SA-CONTRIB-2016-039 - Remote Code Execution
- https://twitter.com/drupalsecurity/status/753263548458004480
More related links:
Requirements
Except for Windows, this plugin should work on environments that have Composer support. Do you use Windows? Help us.
Installation
Make sure you have a based drupal-composer/drupal-project project created.
Rename your current docroot directory to /app
.
cd drupal-project-root
mv web app
Update the composer.json
of your root package with the following values:
"extra": { "drupal-paranoia": { "app-dir": "app", "web-dir": "web" }, "installer-paths": { "app/core": ["type:drupal-core"], "app/libraries/{$name}": ["type:drupal-library"], "app/modules/contrib/{$name}": ["type:drupal-module"], "app/profiles/contrib/{$name}": ["type:drupal-profile"], "app/themes/contrib/{$name}": ["type:drupal-theme"], "drush/contrib/{$name}": ["type:drupal-drush"] } }
Explaining:
- /app folder: Drupal full installation.
- /web folder: Will contain only symlinks of the assets files and PHP stub files (index.php, install.php, etc) from the
/app
folder.
Use composer require ...
to install this Plugin on your project.
composer require drupal-composer/drupal-paranoia:~1
Done! The plugin and the new docroot are now installed.
Asset file types
The asset files are symlinked from /app
to /web
folder.
Default asset file types are provided by the plugin:
robots.txt
.htaccess
*.css
*.eot
*.ico
*.gif
*.jpeg
*.jpg
*.js
*.map
*.otf
*.png
*.svg
*.ttf
*.woff
*.woff2
To extend the list of assets file types you can use the asset-files
config:
"extra": { "drupal-paranoia": { "app-dir": "app", "web-dir": "web", "asset-files": [ "somefile.txt", "*.md" ] }, "..." }
If you need to modify the list you can use the post-drupal-set-asset-file-types
event:
"scripts": { "post-drupal-set-asset-file-types": [ "DrupalProject\\composer\\ScriptHandler::setAssetFileTypes" ], "..." },
<?php /** * @file * Contains \DrupalProject\composer\ScriptHandler. */ namespace DrupalProject\composer; use DrupalComposer\DrupalParanoia\AssetFileTypesEvent; class ScriptHandler { public static function setAssetFileTypes(AssetFileTypesEvent $event) { $asset_file_types = $event->getAssetFileTypes(); // Do what you want with the asset file types. $event->setAssetFileTypes($asset_file_types); } }
By the purpose of this plugin, the following files types are not allowed and if listed they will be ignored:
*.inc
*.install
*.module
*.phar
*.php
*.profile
*.theme
Exclude paths
With the drupal-paranoia option excludes, you can provide paths that should not be symlinked or stubbed to /web
folder. The plugin provides no excludes by default.
"extra": { "drupal-paranoia": { "app-dir": "app", "web-dir": "web", "excludes": [ "core/install.php", "sites/simpletest" ] }, "..." }
NOTE: Consider to exclude /install.php
from your site. There are security concerns when this URL is publicly available, it can be used to create a list of contributed modules existing on the site.
You can exclude it via plugin as described above or via .htaccess
rules.
Web server docroot
Change the document root config of your web server to point to /web
folder.
Plugin events
This plugin fires the following named event during its execution process:
- drupal-paranoia-post-command-run: Occurs after the command
drupal:paranoia
is executed.
Example of event subscriber
<?php namespace MyVendor; use Composer\Composer; use Composer\EventDispatcher\EventSubscriberInterface; use Composer\IO\IOInterface; use Composer\Plugin\PluginInterface; use DrupalComposer\DrupalParanoia\PluginEvents as DrupalParanoiaPluginEvents; class MyClass implements PluginInterface, EventSubscriberInterface { protected $composer; protected $io; public function activate(Composer $composer, IOInterface $io) { $this->composer = $composer; $this->io = $io; } public static function getSubscribedEvents() { return array( DrupalParanoiaPluginEvents::POST_COMMAND_RUN => 'postDrupalParanoiaCommand', ); } public function postDrupalParanoiaCommand(CommandEvent $event) { // Add your custom action. } }
Local development
Every time you install or update a Drupal package via Composer, the /web
folder will be recreated.
composer require drupal/devel:~1.0
> drupal-paranoia: docroot folder has been rebuilt.
When working with themes, CSS and JS for example, it may be necessary to rebuild the folder manually to symlink the new assets.
composer drupal:paranoia
Public files
This plugin assumes that the public files folder exists at app/sites/<site>/files
and symlinks web/sites/<site>/files -> ../../../app/sites/<site>/files
.