Let's write secure Drupal code!
•Download as PPTX, PDF•
0 likes•442 views
This document discusses secure coding practices for Drupal. It begins with an introduction of the presenter and covers topics like cross-site scripting, sanitization, access control, SQL injection, and CSRF. Code snippets are provided and attendees are asked to evaluate if they are secure. Recommendations are given around using Drupal APIs, filtering input, and reviewing security advisories. The importance of code reviews, testing, and learning from past issues is stressed.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Let's write secure Drupal code!
Similar to Let's write secure Drupal code! (20)
More from Balázs Tatár
More from Balázs Tatár (16)
Recently uploaded
Recently uploaded (20)
Let's write secure Drupal code!
- 1. Let's write secure Drupal code! Tatar Balazs Janos 18/03/2018 – DrupalCamp Ruhr
- 2. Who am I? Tatar Balazs Janos Hungarian, lives in Brussels Works with Drupal since 2007 Provisional Member of Drupal Security Team Technical PM and former QA Lead @ EC-DIGIT
- 4. Let's start with a demo
- 5. Developers?
- 6. Maintainers?
- 7. Issue types - Web
- 8. Issue types - Drupal
- 9. Trends in Security Advisories
- 10. Trends in Security Advisories
- 12. Handle text in a secure fashion Drupal 7 way
- 13. Examples
- 14. Test!
- 15. Raise your green card if snippet is secure! Raise your red card if code has issues!
- 16. <?php print '<tr><td>' . check_plain($title) . '</td></tr>'; ?>
- 17. <?php print '<tr><td>' . check_plain($title) . '</td></tr>'; ?>
- 18. <?php print l(check_plain($title), 'node/' . $nid); ?>
- 19. <?php print l(check_plain($title), 'node/' . $nid); ?>
- 20. <?php print l($title), 'node/' . $nid); ?>
- 21. <?php print '<a href="/' . check_plain($url) . '">'; ?>
- 22. <?php print '<a href="/' . check_plain($url) . '">'; ?>
- 23. <?php print '<a href="/' . check_url($url) . '">'; ?>
- 24. foreach ($items as $delta => $item) { $id = $item->getValue()['target_id']; $content = Drupal::entityTypeManager() ->getStorage($entity_type_id) ->load($id); $body = $content->get('body_field')->getValue()[0]['value']; } $elements[$delta] = array( '#theme' => 'something_custom', '#body' => $body, ); return $elements;
- 25. foreach ($items as $delta => $item) { $id = $item->getValue()['target_id']; $content = Drupal::entityTypeManager() ->getStorage($entity_type_id) ->load($id); $body = $content->get('body_field')->getValue()[0]['value']; } $elements[$delta] = array( '#theme' => 'something_custom', '#body' => $body, ); return $elements;
- 26. foreach ($items as $delta => $item) { $id = $item->getValue()['target_id']; $content = Drupal::entityTypeManager() ->getStorage($entity_type_id) ->load($id); $body = [ '#type' => 'processed_text', '#text' => $content->get('body_field')->getValue()[0]['value'], '#format' => $content->get('body_field')->getValue()[0]['format'], ]; } $elements[$delta] = array( '#theme' => 'something_custom', '#body' => $body, ); return $elements;
- 28. Twig in drupal8 No SQL queries No access to drupal APIs Automatic escaping
- 29. Sanitization in drupal8 Html::escape() – plain text Xss::filter() – html is allowed Xss::filterAdmin() – text by admins @variable – string or MarkupInterface object %variable – wrapped in <em> :variable – url for href
- 30. Testing XSS <script>alert('xss')</script> <img src="a" onerror="alert('title')" > Catches 90%
- 31. Access Bypass User can access/do something hook_menu() Node access system Entity access Field access Views access control
- 32. Test again
- 33. <?php function mymodule_menu() { $items['admin/mymodule/settings'] = array( 'title' => 'Settings of my module', 'page callback' => 'drupal_get_form', 'page arguments' => array('mymodule_setting_form'), 'access arguments' => array('administer mymodule'), 'type' => MENU_LOCAL_ACTION, ); return $items; } ?>
- 34. <?php function mymodule_menu() { $items['admin/mymodule/settings'] = array( 'title' => 'Settings of my module', 'page callback' => 'drupal_get_form', 'page arguments' => array('mymodule_setting_form'), 'access arguments' => array('administer mymodule'), 'type' => MENU_LOCAL_ACTION, ); return $items; } ?>
- 35. <?php $query = db_select('node', 'n') ->fields('n', array('title', 'nid') ->condition('type', 'article'); $result = $query->execute(); ?>
- 36. <?php $query = db_select('node', 'n') ->fields('n', array('title', 'nid') ->condition('type', 'article'); $result = $query->execute(); ?>
- 37. <?php $query = db_select('node', 'n') ->fields('n', array('title', 'nid') ->condition('type', 'article') ->addTag('node_access'); $result = $query->execute(); ?>
- 38. mymodule.not_found: path: '/not-found' defaults: _controller: DrupalmymoduleControllerNotFoundController::build404 _title: 'Page not found' requirements: _access: 'TRUE'
- 39. mymodule.not_found: path: '/not-found' defaults: _controller: DrupalmymoduleControllerNotFoundController::build404' _title: 'Page not found' requirements: _access: 'TRUE'
- 41. Testing access bypass Visit node/nid and other urls Visit anything/%node Use behat/automated tests
- 42. Fixing access bypass node_access entity_access Menu definitions user_access for permissions $query->addTag('node_access') Write automated tests
- 43. SQL Injection Executing SQL of the attacker Change/gain information
- 44. Just a small test
- 45. <?php $results = db_query("SELECT uid, name, mail FROM {users} WHERE name LIKE '%%$user_search%%'"); ?>
- 46. <?php $results = db_query("SELECT uid, name, mail FROM {users} WHERE name LIKE '%%$user_search%%'"); ?>
- 47. <?php $results = db_query("SELECT uid, name, míail FROM {users} WHERE name LIKE :user_search", array(':term' => '%' . db_like($user_search))); ?>
- 49. Testing SQL Injection Check the queries in code coder.module username' AND 1=1 POST requests by curl
- 50. Fixing SQL Injection Use always drupal Database API db_query with :placeholder (deprecated in D8, in D9 will be removed) Filter parameters db_like()
- 51. Cross Site Request Forgery Path-based vulnerability Missing valid token <img>
- 52. Fixing CSRF Use Form API Send and validate token properly In D8 use the built-in csrf_token
- 53. Security improvements in Drupal 8 Twig No PHP filter in core Local image filter WYSIWYG in core (advanced filtering) Built-in CSRF token mechanism
- 54. Learn by advisories Report issues on security.drupal.org Security advisories are for • Only stable modules • No alpha, beta, dev • d.org hosted modules @Maintainers: If you are contacted, be supportive!
- 55. An example
- 57. Project applications on drupal.org New contributors Release management – stable Power of the community Automated (pareview.sh) and manual code review
- 58. Security related contrib modules Hacked! Security review (simplytest.me) Paranoia Password policy Encrypt Drop Guard Guardian Composer Security Checker Permission report Text format reported And so on... + PHPCS Drupal BestPractice Sniff
- 59. Thank you! Tatar Balazs Janos @tatarbj https://www.drupal.org/u/tatarbj https://twitter.com/tatarbj Drupal slack: @tatarbj
Editor's Notes
- Wrong settings of text filters
- Owasp = Open Web Application Security Project
- Placeholders: At - @ Percent - % Colon - :