Download to read offline
![foreach ($items as $delta => $item) {
$id = $item->getValue()['target_id'];
$content = Drupal::entityTypeManager()
->getStorage($entity_type_id)
->load($id);
$body = $content->get('body_field')->getValue()[0]['value'];
}
$elements[$delta] = array(
'#theme' => 'something_custom',
'#body' => $body,
);
return $elements;](https://image.slidesharecdn.com/letswritesecuredrupalcodeessen1-180319153201/85/Let-s-write-secure-Drupal-code-24-320.jpg)
![foreach ($items as $delta => $item) {
$id = $item->getValue()['target_id'];
$content = Drupal::entityTypeManager()
->getStorage($entity_type_id)
->load($id);
$body = $content->get('body_field')->getValue()[0]['value'];
}
$elements[$delta] = array(
'#theme' => 'something_custom',
'#body' => $body,
);
return $elements;](https://image.slidesharecdn.com/letswritesecuredrupalcodeessen1-180319153201/85/Let-s-write-secure-Drupal-code-25-320.jpg)
![foreach ($items as $delta => $item) {
$id = $item->getValue()['target_id'];
$content = Drupal::entityTypeManager()
->getStorage($entity_type_id)
->load($id);
$body = [
'#type' => 'processed_text',
'#text' => $content->get('body_field')->getValue()[0]['value'],
'#format' => $content->get('body_field')->getValue()[0]['format'], ];
}
$elements[$delta] = array(
'#theme' => 'something_custom',
'#body' => $body,
);
return $elements;](https://image.slidesharecdn.com/letswritesecuredrupalcodeessen1-180319153201/85/Let-s-write-secure-Drupal-code-26-320.jpg)
![<?php
function mymodule_menu() {
$items['admin/mymodule/settings'] = array(
'title' => 'Settings of my module',
'page callback' => 'drupal_get_form',
'page arguments' => array('mymodule_setting_form'),
'access arguments' => array('administer mymodule'),
'type' => MENU_LOCAL_ACTION,
);
return $items;
}
?>](https://image.slidesharecdn.com/letswritesecuredrupalcodeessen1-180319153201/85/Let-s-write-secure-Drupal-code-33-320.jpg)
![<?php
function mymodule_menu() {
$items['admin/mymodule/settings'] = array(
'title' => 'Settings of my module',
'page callback' => 'drupal_get_form',
'page arguments' => array('mymodule_setting_form'),
'access arguments' => array('administer mymodule'),
'type' => MENU_LOCAL_ACTION,
);
return $items;
}
?>](https://image.slidesharecdn.com/letswritesecuredrupalcodeessen1-180319153201/85/Let-s-write-secure-Drupal-code-34-320.jpg)
Uploaded byBalázs Tatár
Let's write secure Drupal code!
This document discusses secure coding practices for Drupal. It begins with an introduction of the presenter and covers topics like cross-site scripting, sanitization, access control, SQL injection, and CSRF. Code snippets are provided and attendees are asked to evaluate if they are secure. Recommendations are given around using Drupal APIs, filtering input, and reviewing security advisories. The importance of code reviews, testing, and learning from past issues is stressed.
More Related Content
Similar to Let's write secure Drupal code!
Let's write secure Drupal code!
- 1. Let's write secureDrupal code! Tatar Balazs Janos 18/03/2018 – DrupalCamp Ruhr
- 2. Who am I? TatarBalazs Janos Hungarian, lives in Brussels Works with Drupal since 2007 Provisional Member of Drupal Security Team Technical PM and former QA Lead @ EC-DIGIT
- 3.
- 4. Let's start witha demo
- 5.
- 6.
- 7.
- 8. Issue types -Drupal
- 9. Trends in SecurityAdvisories
- 10. Trends in SecurityAdvisories
- 11.
- 12. Handle text ina secure fashion Drupal 7 way
- 13.
- 14.
- 15. Raise your greencard if snippet is secure! Raise your red card if code has issues!
- 16. <?php print '<tr><td>'. check_plain($title) . '</td></tr>'; ?>
- 17. <?php print '<tr><td>'. check_plain($title) . '</td></tr>'; ?>
- 18. <?php print l(check_plain($title),'node/' . $nid); ?>
- 19. <?php print l(check_plain($title),'node/' . $nid); ?>
- 20. <?php print l($title),'node/' . $nid); ?>
- 21. <?php print '<ahref="/' . check_plain($url) . '">'; ?>
- 22. <?php print '<ahref="/' . check_plain($url) . '">'; ?>
- 23. <?php print '<ahref="/' . check_url($url) . '">'; ?>
- 24. foreach ($items as$delta => $item) { $id = $item->getValue()['target_id']; $content = Drupal::entityTypeManager() ->getStorage($entity_type_id) ->load($id); $body = $content->get('body_field')->getValue()[0]['value']; } $elements[$delta] = array( '#theme' => 'something_custom', '#body' => $body, ); return $elements;
- 25. foreach ($items as$delta => $item) { $id = $item->getValue()['target_id']; $content = Drupal::entityTypeManager() ->getStorage($entity_type_id) ->load($id); $body = $content->get('body_field')->getValue()[0]['value']; } $elements[$delta] = array( '#theme' => 'something_custom', '#body' => $body, ); return $elements;
- 26. foreach ($items as$delta => $item) { $id = $item->getValue()['target_id']; $content = Drupal::entityTypeManager() ->getStorage($entity_type_id) ->load($id); $body = [ '#type' => 'processed_text', '#text' => $content->get('body_field')->getValue()[0]['value'], '#format' => $content->get('body_field')->getValue()[0]['format'], ]; } $elements[$delta] = array( '#theme' => 'something_custom', '#body' => $body, ); return $elements;
- 28. Twig in drupal8 NoSQL queries No access to drupal APIs Automatic escaping
- 29. Sanitization in drupal8 Html::escape()– plain text Xss::filter() – html is allowed Xss::filterAdmin() – text by admins @variable – string or MarkupInterface object %variable – wrapped in <em> :variable – url for href
- 30. Testing XSS <script>alert('xss')</script> <img src="a"onerror="alert('title')" > Catches 90%
- 31. Access Bypass User canaccess/do something hook_menu() Node access system Entity access Field access Views access control
- 32.
- 33. <?php function mymodule_menu() { $items['admin/mymodule/settings']= array( 'title' => 'Settings of my module', 'page callback' => 'drupal_get_form', 'page arguments' => array('mymodule_setting_form'), 'access arguments' => array('administer mymodule'), 'type' => MENU_LOCAL_ACTION, ); return $items; } ?>
- 34. <?php function mymodule_menu() { $items['admin/mymodule/settings']= array( 'title' => 'Settings of my module', 'page callback' => 'drupal_get_form', 'page arguments' => array('mymodule_setting_form'), 'access arguments' => array('administer mymodule'), 'type' => MENU_LOCAL_ACTION, ); return $items; } ?>
- 35. <?php $query = db_select('node','n') ->fields('n', array('title', 'nid') ->condition('type', 'article'); $result = $query->execute(); ?>
- 36. <?php $query = db_select('node','n') ->fields('n', array('title', 'nid') ->condition('type', 'article'); $result = $query->execute(); ?>
- 37. <?php $query = db_select('node','n') ->fields('n', array('title', 'nid') ->condition('type', 'article') ->addTag('node_access'); $result = $query->execute(); ?>
- 38. mymodule.not_found: path: '/not-found' defaults: _controller: DrupalmymoduleControllerNotFoundController::build404 _title:'Page not found' requirements: _access: 'TRUE'
- 39. mymodule.not_found: path: '/not-found' defaults: _controller: DrupalmymoduleControllerNotFoundController::build404' _title:'Page not found' requirements: _access: 'TRUE'
- 41. Testing access bypass Visitnode/nid and other urls Visit anything/%node Use behat/automated tests
- 42. Fixing access bypass node_access entity_access Menudefinitions user_access for permissions $query->addTag('node_access') Write automated tests
- 43. SQL Injection Executing SQLof the attacker Change/gain information
- 44. Just a smalltest
- 45. <?php $results = db_query("SELECTuid, name, mail FROM {users} WHERE name LIKE '%%$user_search%%'"); ?>
- 46. <?php $results = db_query("SELECTuid, name, mail FROM {users} WHERE name LIKE '%%$user_search%%'"); ?>
- 47. <?php $results = db_query("SELECTuid, name, míail FROM {users} WHERE name LIKE :user_search", array(':term' => '%' . db_like($user_search))); ?>
- 49. Testing SQL Injection Checkthe queries in code coder.module username' AND 1=1 POST requests by curl
- 50. Fixing SQL Injection Usealways drupal Database API db_query with :placeholder (deprecated in D8, in D9 will be removed) Filter parameters db_like()
- 51. Cross Site RequestForgery Path-based vulnerability Missing valid token <img>
- 52. Fixing CSRF Use FormAPI Send and validate token properly In D8 use the built-in csrf_token
- 53. Security improvements inDrupal 8 Twig No PHP filter in core Local image filter WYSIWYG in core (advanced filtering) Built-in CSRF token mechanism
- 54. Learn by advisories Reportissues on security.drupal.org Security advisories are for • Only stable modules • No alpha, beta, dev • d.org hosted modules @Maintainers: If you are contacted, be supportive!
- 55.
- 57. Project applications ondrupal.org New contributors Release management – stable Power of the community Automated (pareview.sh) and manual code review
- 58. Security related contribmodules Hacked! Security review (simplytest.me) Paranoia Password policy Encrypt Drop Guard Guardian Composer Security Checker Permission report Text format reported And so on... + PHPCS Drupal BestPractice Sniff
- 59. Thank you! Tatar BalazsJanos @tatarbj https://www.drupal.org/u/tatarbj https://twitter.com/tatarbj Drupal slack: @tatarbj