Let's write secure Drupal code! Drupal MountainCamp 2019
•Download as PPTX, PDF•
0 likes•244 views
This document summarizes a presentation on secure Drupal coding given by Balazs Janos Tatar at the Drupal Mountain Camp 2019 conference. The presentation covered common types of vulnerabilities like cross-site scripting, access bypass, SQL injection, and discussed ways to prevent them, such as sanitizing user input, using the database API, and implementing access controls correctly. Code snippets were presented and the audience was asked to identify any issues. The goal was to help developers write more secure Drupal code.
More Related Content
What's hot
What's hot (20)
Similar to Let's write secure Drupal code! Drupal MountainCamp 2019
Similar to Let's write secure Drupal code! Drupal MountainCamp 2019 (20)
More from Balázs Tatár
More from Balázs Tatár (17)
Recently uploaded
Recently uploaded (20)
Let's write secure Drupal code! Drupal MountainCamp 2019
- 1. drupalmountaincamp.ch Let‘s write secure Drupal code! Balazs Janos Tatar
- 2. 2019 Friday 8 march 16:30 - 18:30 (Room: Pischa)
- 3. Group Picture Saturday from 10:30 - 11:00
- 4. 7th – 10th March 2019 Davos, Switzerlanddrupalmountaincamp.ch Contributions sprint all days.
- 5. 7th – 10th March 2019 Davos, Switzerlanddrupalmountaincamp.ch Contributions sprint all days. Let‘s write secure Drupal code! Tatar Balazs Janos
- 6. Who am I? Tatar Balazs Janos @tatarbj Works with Drupal since 2007 CTO @ Petend Drupal Security Correspondent @ EC Active mentor @ Mentoring community group Provisional member @ Drupal Security Team SecOSdreamer @ Secure Open Source day
- 8. Are there site builders? TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 13. Have you attended on a previous Let’s write secure Drupal code! session? TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 14. DrupalCamp Antwerp 2017 DrupalCamp Ruhr 2018 DrupalDevDays 2018 Drupal Europe 2018 DrupalCamp Oslo 2018 DrupalCamp London 2019 Drupal Mountain Camp 2019 (DrupalCamp Belarus 2019) History
- 21. Client side vulnerability Unfiltered output Never trust any user input. We’ve seen the demo before ;) Cross Site Scripting TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 23. Html::escape() – plain text Xss::filter() – html is allowed Xss::filterAdmin() – text by admins TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 25. Raise your red card if snippet has issues! Raise your green card if code is secure! TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 26. function custom_field_formatter_view(...) { foreach ($items as $key => $value) { //... $element[$key] = array( '#type' => 'markup', '#markup' => t('<img src="!src" alt="@alt" />', array('!src' => $value['src'], ‚$alt’ => $value['alt'])), ); //... } return $element; } TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 27. function custom_field_formatter_view(...) { foreach ($items as $key => $value) { //... $element[$key] = array( '#type' => 'markup', '#markup' => t('<img src="!src" alt="@alt" />', array('!src' => $value['src'], ‚$alt’ => $value['alt'])), ); //... } return $element; } TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 28. function custom_field_formatter_view(...) { foreach ($items as $key => $value) { //... $element[$key] = array( '#type' => 'markup', '#markup' => t('<img src="@src" alt="@alt" />', array('@src' => $value['src'], ‚$alt’ => $value['alt'])), ); //... } return $element; } TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 29. <?php print '<a href="/' . check_url($url) . '">'; ?> TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 30. <?php print '<a href="/' . check_url($url) . '">'; ?> TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 31. foreach ($items as $delta => $item) { $id = $item->getValue()['target_id']; $content = Drupal::entityTypeManager() ->getStorage($entity_type_id) ->load($id); $body = $content->get('body_field')->getValue()[0]['value']; } $elements[$delta] = array( '#theme' => 'something_custom', '#body' => $body, ); return $elements; TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 32. foreach ($items as $delta => $item) { $id = $item->getValue()['target_id']; $content = Drupal::entityTypeManager() ->getStorage($entity_type_id) ->load($id); $body = $content->get('body_field')->getValue()[0]['value']; } $elements[$delta] = array( '#theme' => 'something_custom', '#body' => $body, ); return $elements; TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 33. foreach ($items as $delta => $item) { $id = $item->getValue()['target_id']; $content = Drupal::entityTypeManager() ->getStorage($entity_type_id) ->load($id); $body = [ '#type' => 'processed_text', '#text' => $content->get('body_field')->getValue()[0]['value'], '#format' => $content->get('body_field')->getValue()[0]['format'], ]; } $elements[$delta] = array( '#theme' => 'something_custom', '#body' => $body, ); return $elements; TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 35. Use behat/automated tests. <script>alert('XSS')</script> <img src="a" onerror="alert('title')"> Check your filters and user roles. Do not give too many options to untrusted users! Protection against Cross Site Scripting TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 37. User can access/do something. Menu items can be defined to be accessed/denied. Many access systems: node, entity, field, views... Access bypass TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 39. <?php $query = db_select('node', 'n') ->fields('n', array('title', 'nid')) ->condition('type', 'article'); $result = $query->execute(); ?> TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 40. <?php $query = db_select('node', 'n') ->fields('n', array('title', 'nid')) ->condition('type', 'article'); $result = $query->execute(); ?> TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 41. <?php $query = db_select('node', 'n') ->fields('n', array('title', 'nid') ->condition('type', 'article') ->addTag('node_access'); $result = $query->execute(); ?> TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 42. mymodule.not_found: path: '/not-found' defaults: _controller: DrupalmymoduleControllerNotFoundController::build404 _title: 'Page not found' requirements: _access: 'TRUE' TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 43. mymodule.not_found: path: '/not-found' defaults: _controller: DrupalmymoduleControllerNotFoundController::build404' _title: 'Page not found' requirements: _access: 'TRUE' TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 45. Visit node/nid and other urls Visit anything/%node Use behat/automated tests. node_access, entity_access Menu definitions user_access for permissions $query->addTag('node_access') Protection against Access bypass TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 47. Unauthorized access to database resources. Do not trust any user input. SA-CORE-2014-005 – Highly critical D7 SA SQL Injection TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 49. <?php $table = 'field_data_' . $field; $sql = 'SELECT entity_id, bundle, ' . $field . '_linklabel FROM {' . $table . '} WHERE ' . $field . '_normalized = :phoneno’; $eid = db_query($sql, array(':phoneno' => $normalized)) ->fetchAssoc(); ?> TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 50. <?php $table = 'field_data_' . $field; $sql = 'SELECT entity_id, bundle, ' . $field . '_linklabel FROM {' . $table . '} WHERE ' . $field . '_normalized = :phoneno’; $eid = db_query($sql, array(':phoneno' => $normalized)) ->fetchAssoc(); ?> TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 51. <?php $query = db_select('field_data_' . $field, 'fdf'); $query->fields('fdf', array('entity_id', 'bundle', $field . '_linklabel')); $query->condition('fdf.' . $field . '_normalized', $normalized); $eid = $query->execute()->fetchAssoc(); ?> TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 53. Use always drupal Database API! db_query with :placeholder (deprecated in D8, in D9 will be removed) Filter parameters Check the queries in code. username' AND 1=1 POST requests by curl Protection against SQL Injection TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 54. Test IV. Ready for some other code? TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 55. <?php function _generate_password($length = 8) { $pass = ’’; for ($i = 0; $i < $length; $i++) { // Each iteration, pick a random character from the // allowable string and append it to the password: $pass .= $allowable_characters[mt_rand(0, $len)]; } } ?> TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 56. <?php function _generate_password($length = 8) { $pass = ’’; for ($i = 0; $i < $length; $i++) { // Each iteration, pick a random character from the // allowable string and append it to the password: $pass .= $allowable_characters[mt_rand(0, $len)]; } } ?> TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 57. <?php function _generate_password($length = 8) { $pass = ’’; for ($i = 0; $i < $length; $i++) { do { // Find a secure random number within the range needed. $index = ord(drupal_random_bytes(1)); } while ($index > $len); $pass .= $allowable_characters[$index]; } } ?> TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 58. // custom_module.permissions.yml administer custom module: title: 'Bypass access control' description: 'Allows a user to bypass access control.’ // custom_module.routing.yml custom_module.settings.form: path: '/admin/config/custom/settings' requirements: _permission: 'administer custom module' TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 59. // custom_module.permissions.yml administer custom module: title: 'Bypass access control' description: 'Allows a user to bypass access control.’ // custom_module.routing.yml custom_module.settings.form: path: '/admin/config/custom/settings' requirements: _permission: 'administer custom module' TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 60. // custom_module.permissions.yml administer custom module: title: 'Bypass access control' description: 'Allows a user to bypass access control.’ restrict access: TRUE // custom_module.routing.yml custom_module.settings.form: path: '/admin/config/custom/settings' requirements: _permission: 'administer custom module' TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 61. // custom_module.routing.yml custom_module.settings.form: path: '/admin/config/custom/settings' requirements: _permission: 'administer site configuration' TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 62. // custom_module.routing.yml custom_module.settings.form: path: '/admin/config/custom/settings' requirements: _permission: 'administer site configuration' TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 65. *https://events.drupal.org/sites/default/files/slides/pwolanin-2017-09-ways-drupal8-d.pdf Many ways Drupal 8 is more secure!* Twig templates for HTML generation Removed PHP format Site configuration exportable, versionable User content entry and filtering improvements User session and sessio always n ID handling Automated CSRF token protection Trusted host patterns enforced for requests Single statement execution for SQL Clickjacking protection Content security policy compatibility with Core Javascript API TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 67. Security advisories are for Only stable modules No alpha, beta, dev d.org hosted projects @Maintainers: If you are contacted, be supportive! Drupal Security Team TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 69. Hacked! Security review (simplytest.me) Password policy Encrypt Composer Security Checker Permission report Drop Guard Security Awareness programs + PHPCS Drupal BestPractice Sniff Security related projects TatarBalazsJanos @tatarbj DrupalMountainCamp2019
- 70. SecOSday – Haarlem edition 11 May, 2019
- 72. Tatar Balazs Janos @tatarbj Thank you!