Skip to content

1. LDAP filter hardening and safer LDAP connection handling in custom…#24

Open
bertrama wants to merge 1 commit into
mainfrom
copilot-audit
Open

1. LDAP filter hardening and safer LDAP connection handling in custom…#24
bertrama wants to merge 1 commit into
mainfrom
copilot-audit

Conversation

@bertrama

Copy link
Copy Markdown
Member

What Copilot fixed

  1. LDAP filter hardening and safer LDAP connection handling in custom_blogs.module:110, custom_blogs.module:127, custom_blogs.module:136.
  2. Safer username normalization from email (avoids brittle split/index access) in custom_blogs.module:79.
  3. Removed render-time content mutation risk by stopping delete behavior in render hook and introducing explicit empty-check helper in custom_blogs.module:217, custom_blogs.module:249.
  4. Escaped dynamic exposed form strings and links to mitigate XSS vectors in custom_blogs.module:413, custom_blogs.module:414, custom_blogs.module:478.
  5. Fixed path logic edge case by replacing loose strpos checks with strict comparison in custom_blogs.module:443.
  6. Removed HTML emphasis injection in view titles in custom_blogs.module:665, custom_blogs.module:675.
  7. Enforced OpenID deny-by-default for non-authorized users and cleaned userinfo normalization in custom_openid.module:12, custom_openid.module:48, custom_openid.module:67.
  8. Added OG membership null guards and safer defaults to prevent runtime notices/fatals in custom_blogs_og.module:34, custom_blogs_og.module:66, custom_blogs_og.module:480, custom_blogs_og.module:537.
  9. Hardened outbound mail alter flow with entity guards, email validation, deduped BCC, and safer header setup in custom_uml_blogs_mail.module:31, custom_uml_blogs_mail.module:40, custom_uml_blogs_mail.module:50.
  10. Removed unsafe raw Twig filter usage in aria-label context in colorbox-formatter.html.twig:17.
  11. Hardened docker settings by gating error display behind explicit dev mode and safer hash salt fallback in docker.settings.php:773, docker.settings.php:786.
  12. Replaced hardcoded compose secrets with environment-driven values in docker-compose.yml:10, docker-compose.yml:28.
  13. Removed duplicate composer repository key for Drupal in composer.json:6, composer.json:45.
  • PHP syntax lint passed for all edited PHP/module files and docker settings.

  • Editor diagnostics report no errors in all edited files.

  • Git changes are limited to the intended eight files.

  • Global dependency policy still uses dev stability in composer.json:225. I left this untouched because tightening it can impact dependency resolution and lockfile behavior across the project.

  • Some HTML message construction remains in lower-priority paths like custom_drush.module:8 and custom_blogs_og.module:512. These were not part of the highest-severity set but can be hardened next.

If you want, I can do a second pass to harden the remaining Markup-based message paths.

I can also propose a safe plan to reduce composer dev-stability risk without breaking current installs.

…_blogs.module:110, custom_blogs.module:127, custom_blogs.module:136.

2. Safer username normalization from email (avoids brittle split/index access) in custom_blogs.module:79.
3. Removed render-time content mutation risk by stopping delete behavior in render hook and introducing explicit empty-check helper in custom_blogs.module:217, custom_blogs.module:249.
4. Escaped dynamic exposed form strings and links to mitigate XSS vectors in custom_blogs.module:413, custom_blogs.module:414, custom_blogs.module:478.
5. Fixed path logic edge case by replacing loose strpos checks with strict comparison in custom_blogs.module:443.
6. Removed HTML emphasis injection in view titles in custom_blogs.module:665, custom_blogs.module:675.
7. Enforced OpenID deny-by-default for non-authorized users and cleaned userinfo normalization in custom_openid.module:12, custom_openid.module:48, custom_openid.module:67.
8. Added OG membership null guards and safer defaults to prevent runtime notices/fatals in custom_blogs_og.module:34, custom_blogs_og.module:66, custom_blogs_og.module:480, custom_blogs_og.module:537.
9. Hardened outbound mail alter flow with entity guards, email validation, deduped BCC, and safer header setup in custom_uml_blogs_mail.module:31, custom_uml_blogs_mail.module:40, custom_uml_blogs_mail.module:50.
10. Removed unsafe raw Twig filter usage in aria-label context in colorbox-formatter.html.twig:17.
11. Hardened docker settings by gating error display behind explicit dev mode and safer hash salt fallback in docker.settings.php:773, docker.settings.php:786.
12. Replaced hardcoded compose secrets with environment-driven values in docker-compose.yml:10, docker-compose.yml:28.
13. Removed duplicate composer repository key for Drupal in composer.json:6, composer.json:45.

* PHP syntax lint passed for all edited PHP/module files and docker settings.
* Editor diagnostics report no errors in all edited files.
* Git changes are limited to the intended eight files.

* Global dependency policy still uses dev stability in composer.json:225. I left this untouched because tightening it can impact dependency resolution and lockfile behavior across the project.

* Some HTML message construction remains in lower-priority paths like custom_drush.module:8 and custom_blogs_og.module:512. These were not part of the highest-severity set but can be hardened next.

If you want, I can do a second pass to harden the remaining Markup-based message paths.

I can also propose a safe plan to reduce composer dev-stability risk without breaking current installs.
@bertrama bertrama requested a review from vagabundeo June 22, 2026 16:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant