LET’S WRITE SECURE DRUPAL CODE!

LET’S WRITE SECURE DRUPAL
CODE!
TATAR BALAZS JANOS
DRUPALCAMP KYIV
KYIV, UKRAINE – 25.05.2019
DRUPALCAMP
KYIV’19

Who am I?
Tatar Balazs Janos
@tatarbj
Works with Drupal since 2007
CTO @ Petend
Drupal Security Correspondent @ EC
Active mentor @ Mentoring community group
Provisional member @ Drupal Security Team
SecOSdreamer @ Secure Open Source day
DRUPALCAMP
KYIV’19

Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19

Are there site builders?
DRUPALCAMP
KYIV’19

Demo
DRUPALCAMP
KYIV’19

Gist
https://gist.github.com/tatarbj/c73e452fe208f4281af09c110a63b9bd
DRUPALCAMP
KYIV’19

Are there developers/maintainers?
DRUPALCAMP
KYIV’19

Have you attended on a previous Let’s
write secure Drupal code! session?
DRUPALCAMP
KYIV’19

DrupalCamp Antwerp 2017
DrupalCamp Ruhr 2018
DrupalDevDays 2018
Drupal Europe 2018
DrupalCamp Oslo 2018
DrupalCamp London 2019
Drupal Mountain Camp 2019
DrupalCamp Spain 2019
DrupalCamp Belarus 2019
DrupalCamp Kyiv 2019 – 10th edition!
History
DRUPALCAMP
KYIV’19 Tatar Balazs Janos - @tatarbj

Trends in Security
DRUPALCAMP
KYIV’19

Types of vulnerabilities
DRUPALCAMP
KYIV’19

Cross Site Scripting
DRUPALCAMP
KYIV’19

Client side vulnerability
Unfiltered output
Never trust any user input.
We’ve seen the demo before ;)
Cross Site Scripting
DRUPALCAMP
KYIV’19

Html::escape() – plain text
Xss::filter() – html is allowed
Xss::filterAdmin() – text by admins
DRUPALCAMP
KYIV’19

Bingo
DRUPALCAMP
KYIV’19

Everyone has a bingo card (check your bag!)
If you answer well, mark the number!
Wrong answer = no number!
First who shouts BINGO! wins the price!
Rules and etiquette
DRUPALCAMP
KYIV’19

Round 1
DRUPALCAMP
KYIV’19

function custom_field_formatter_view(...) {
foreach ($items as $key => $value) {
//...
$element[$key] = array(
'#type' => 'markup',
'#markup' => t('<img src="!src" alt="@alt" />',
array('!src' => $value['src'], ‚$alt’ => $value['alt'])),
);
//...
}
return $element;
}
DRUPALCAMP
KYIV’19

function custom_field_formatter_view(...) {
foreach ($items as $key => $value) {
//...
$element[$key] = array(
'#type' => 'markup',
'#markup' => t('<img src="@src" alt="@alt" />',
array('@src' => $value['src'], ‚$alt’ => $value['alt'])),
);
//...
}
return $element;
}
DRUPALCAMP
KYIV’19

12
DRUPALCAMP
KYIV’19

<?php print '<a href="/' . check_url($url) . '">'; ?>
DRUPALCAMP
KYIV’19

4
DRUPALCAMP
KYIV’19

foreach ($items as $delta => $item) {
$id = $item->getValue()['target_id'];
$content = Drupal::entityTypeManager()
->getStorage($entity_type_id)
->load($id);
$body = $content->get('body_field')->getValue()[0]['value'];
}
$elements[$delta] = array(
'#theme' => 'something_custom',
'#body' => $body,
);
return $elements;
DRUPALCAMP
KYIV’19

foreach ($items as $delta => $item) {
$id = $item->getValue()['target_id'];
$content = Drupal::entityTypeManager()
->getStorage($entity_type_id)
->load($id);
$body = [
'#type' => 'processed_text',
'#text' => $content->get('body_field')->getValue()[0]['value'],
'#format' => $content->get('body_field')->getValue()[0]['format'], ];
}
$elements[$delta] = array(
'#theme' => 'something_custom',
'#body' => $body,
);
return $elements;
DRUPALCAMP
KYIV’19

23
DRUPALCAMP
KYIV’19

Drupal 8 allows Full HTML to be used
by anonymous users.
?
DRUPALCAMP
KYIV’19

Drupal 8 allows Full HTML to be used
by authenticated and administrator
users.
?
DRUPALCAMP
KYIV’19

17
DRUPALCAMP
KYIV’19

User input must be always sanitized.
?
DRUPALCAMP
KYIV’19

25
DRUPALCAMP
KYIV’19

Use behat/automated tests.
<script>alert('XSS')</script>
<img src="a" onerror="alert('title')">
Check your filters and user roles.
Do not give too many options to untrusted users!
Protection against Cross Site Scripting
DRUPALCAMP
KYIV’19

Access Bypass
DRUPALCAMP
KYIV’19

User can access/do something.
Menu items can be defined to be
accessed/denied.
Many access systems: node, entity, field, views...
Access bypass
DRUPALCAMP
KYIV’19

Round 2
DRUPALCAMP
KYIV’19

<?php
$query = db_select('node', 'n')
->fields('n', array('title', 'nid'))
->condition('type', 'article');
$result = $query->execute();
?>
DRUPALCAMP
KYIV’19

<?php
$query = db_select('node', 'n')
->fields('n', array('title', 'nid')
->condition('type', 'article')
->addTag('node_access');
$result = $query->execute();
?>
DRUPALCAMP
KYIV’19

29
DRUPALCAMP
KYIV’19

mymodule.not_found:
path: '/not-found'
defaults:
_controller: DrupalmymoduleControllerNotFoundController::build404
_title: 'Page not found'
requirements:
_access: 'TRUE'
DRUPALCAMP
KYIV’19

16
DRUPALCAMP
KYIV’19

All users on Drupal sites belong to at
least 2 user role.
?
DRUPALCAMP
KYIV’19

All users on Drupal sites belong to at
least 1 user role.
?
DRUPALCAMP
KYIV’19

22
DRUPALCAMP
KYIV’19

Restricted permissions make Drupal
sites more secure by calling
restrict_permission() method.
?
DRUPALCAMP
KYIV’19

Restricted permissions make Drupal
sites more secure by raising
attention on the permission page.
?
DRUPALCAMP
KYIV’19

6
DRUPALCAMP
KYIV’19

Drupal 8 allows users to mistype
their passwords unlimited times.
?
DRUPALCAMP
KYIV’19

Drupal 8 allows users to mistype
their passwords 5 times.
?
DRUPALCAMP
KYIV’19

9
DRUPALCAMP
KYIV’19

Visit node/nid and other urls
Visit anything/%node
Use behat/automated tests.
node_access, entity_access
Menu definitions
user_access for permissions
$query->addTag('node_access')
Protection against Access bypass
DRUPALCAMP
KYIV’19

SQL Injection
DRUPALCAMP
KYIV’19

Unauthorized access to database resources.
Do not trust any user input.
SA-CORE-2014-005 – Highly critical D7 SA
SQL Injection
DRUPALCAMP
KYIV’19

Round 3
DRUPALCAMP
KYIV’19

<?php
$result = Drupal::database()
->delete('people')
->condition('name', '%_' . $_GET['param'], 'LIKE');
->execute();
?>
DRUPALCAMP
KYIV’19

<?php
$database = Drupal::database();
$result = $database
->delete('people')
->condition('name', $database->escapeLike($_GET['param']), 'LIKE');
->execute();
?>
DRUPALCAMP
KYIV’19

31
DRUPALCAMP
KYIV’19

A highly critical Drupal 8 core update
remediated an SQL injection
vulnerability in 2014.
?
DRUPALCAMP
KYIV’19

A highly critical Drupal 7 core update
remediated an SQL injection
vulnerability in 2014.
?
DRUPALCAMP
KYIV’19

15
DRUPALCAMP
KYIV’19

Use always drupal Database API!
db_query with :placeholder (deprecated in D8,
in D9 will be removed)
Filter parameters
Check the queries in code.
username' AND 1=1
POST requests by curl
Protection against SQL Injection
DRUPALCAMP
KYIV’19

Round 4
Ready for some other code?
DRUPALCAMP
KYIV’19

<?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
// Each iteration, pick a random character from the
// allowable string and append it to the password:
$pass .= $allowable_characters[mt_rand(0, $len)];
}
}
?>
DRUPALCAMP
KYIV’19

<?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
do {
// Find a secure random number within the range needed.
$index = ord(drupal_random_bytes(1));
} while ($index > $len);
$pass .= $allowable_characters[$index];
}
}
?>
DRUPALCAMP
KYIV’19

8
DRUPALCAMP
KYIV’19

// custom_module.permissions.yml
administer custom module:
title: 'Bypass access control'
description: 'Allows a user to bypass access control.’
// custom_module.routing.yml
custom_module.settings.form:
path: '/admin/config/custom/settings'
requirements:
_permission: 'administer custom module'
DRUPALCAMP
KYIV’19

// custom_module.permissions.yml
administer custom module:
title: 'Bypass access control'
description: 'Allows a user to bypass access control.’
restrict access: TRUE
// custom_module.routing.yml
custom_module.settings.form:
path: '/admin/config/custom/settings'
requirements:
_permission: 'administer custom module'
DRUPALCAMP
KYIV’19

20
DRUPALCAMP
KYIV’19

// contrib_module.routing.yml
contrib_module.settings.form:
path: '/admin/config/contrib/settings'
requirements:
_permission: 'administer site configuration'
DRUPALCAMP
KYIV’19

26
DRUPALCAMP
KYIV’19

OWASP stands for Online Web
Authentication Super Project.
?
DRUPALCAMP
KYIV’19

OWASP stands for Open Web
Application Security Project.
?
DRUPALCAMP
KYIV’19

10
DRUPALCAMP
KYIV’19

XXE stands for XML External
Entities vulnerability.
?
DRUPALCAMP
KYIV’19

32
DRUPALCAMP
KYIV’19

SQL Injection is a server side
vulnerability.
?
DRUPALCAMP
KYIV’19

13
DRUPALCAMP
KYIV’19

Cross Site Request Forgery
vulnerability is in the TOP10 of
OWASP list from 2017.
?
DRUPALCAMP
KYIV’19

Cross Site Request Forgery
vulnerability is not in the TOP10 of
OWASP list from 2017, but was in 2013.
?
DRUPALCAMP
KYIV’19

5
DRUPALCAMP
KYIV’19

In case of no winner,
extra numbers are coming!
!
DRUPALCAMP
KYIV’19

18
DRUPALCAMP
KYIV’19

27
DRUPALCAMP
KYIV’19

30
DRUPALCAMP
KYIV’19

1
DRUPALCAMP
KYIV’19

11
DRUPALCAMP
KYIV’19

33
DRUPALCAMP
KYIV’19

Security Improvements
DRUPALCAMP
KYIV’19

*https://events.drupal.org/sites/default/files/slides/pwolanin-2017-09-ways-drupal8-d.pdf
Many ways Drupal 8 is more secure!*
Twig templates for HTML generation
Removed PHP format
Site configuration exportable, versionable
User content entry and filtering improvements
User session and session always in ID handling
Automated CSRF token protection
Trusted host patterns enforced for requests
Single statement execution for SQL
Clickjacking protection
Content security policy compatibility with Core Javascript API
DRUPALCAMP
KYIV’19

Learn by Advisories

Security advisories are for
 Only stable modules
 No alpha, beta, dev
 d.org hosted projects
@Maintainers: If you are contacted, be supportive! 
Drupal Security Team
DRUPALCAMP
KYIV’19

Hacked!
Security review (simplytest.me)
Password policy
Encrypt
Composer Security Checker
Permission report
Drop Guard
Security Awareness programs
+ PHPCS Drupal BestPractice Sniff
Security related projects
DRUPALCAMP
KYIV’19

SecOSdays
25-26 OCTOBER, 2019 - SOFIA, BULGARIA
Call For Sessions and Sponsors are open!
DRUPALCAMP
KYIV’19

Questions?
DRUPALCAMP
KYIV’19

Tatar Balazs Janos
@tatarbj
Thank you!
DRUPALCAMP
KYIV’19

LET’S WRITE SECURE DRUPAL CODE!

Recommended

Recommended

More Related Content

More from DrupalCamp Kyiv

More from DrupalCamp Kyiv (20)

Recently uploaded

Recently uploaded (20)

LET’S WRITE SECURE DRUPAL CODE!