Drupal composer paranoia plugin

Submitted by timmillwood on Thu, 07/06/2018 - 10:04

Over the past few months one of my colleagues, Jean Ribeiro (jribeiro), has been working in conjunction with Florian Weber (webflo) from drupal-composer, on a composer plugin for added Drupal site security.

The Drupal Paranoia plugin works with two directories, web and app, although these can be renamed within you composer config to whatever works for you. The app directory is where all non-user facing code lives, this includes PHP, yaml, twig etc from core, contrib, and custom modules.The web directory then contains symlinks all user facing code, such as CSS, JS, and other files. It also contains stub PHP files for some items within the app directory.

Within the plugin the public files directory is assumed to contain only user facing files, so it is symlinked. The codebase is then scanned for what are considered asset files. These are a fixed list of file extensions, which are expected to be used for module themeing and themes themselves, such as css, js, png, gif, etc. There is also a set list of "front controller" files, these are PHP files that do need to be user facing. The list includes index.php, core/install.php, core/rebuild.php, and core/modules/statistics/statistics.php. These files are then added via a stub PHP file, which calls the require function to pull them in.

This plugin allows you to point your web server to the web directory without exposing any non-public files to users, giving an extra layer of security. There are no known specific security issues this will mitigate, however if there were any contrib or custom code with executable PHP code, this will update the codebase to make sure it's not remotely executable. For example in 2016 there was an issue found with coder module were one of the executable PHP files opened a security hole. If anything like that were to happen again, you would be protected by using the Drupal Parnoia plugin.


Thanks to Jean Ribeiro and Chad DeGoot for helping write and review this blog post.

Add new comment