- The document discusses secure Drupal coding practices presented by Balazs Janos Tatar at DrupalCamp London 2019. - It covers common vulnerabilities like cross-site scripting, access bypass, SQL injection and how to prevent them through input filtering, access control configuration, and using Drupal's database APIs. - Tatar also discusses security improvements in Drupal 8 like Twig templates, automated CSRF protection, and content security policy compatibility. He encourages learning from security advisories and reviewing sites for vulnerabilities.

1. Let’s write secure Drupal code!
Balazs Janos Tatar
DrupalCamp London 2019

2. Who am I?
Tatar Balazs Janos
@tatarbj
Hungarian, lives in Brussels
Works with Drupal since 2007
CTO @ Petend
Drupal Security Correspondent @ EU Commission
Provisional Member of Drupal Security Team

4. Are there site builders?

6. Demo

7. Gist
https://gist.github.com/tatarbj/cc8e96ae328a20b3c9a878eb76e26f37

8. Are there developers/maintainers?

9. Have you attended on a previous
Let’s write secure Drupal code!
session?

10. DrupalCamp Antwerp 2017
DrupalCamp Ruhr 2018
DrupalDevDays 2018
Drupal Europe 2018
DrupalCamp Oslo 2018
DrupalCamp London 2019
(Drupal Mountain Camp 2019)
(DrupalCamp Belarus 2019)
History

11. Trends in Security

14. Types of vulnerabilities

16. Cross Site Scripting

17. Client side vulnerability
Unfiltered output
Never trust any user input.
We’ve seen the demo before ;)
Cross Site Scripting

19. Html::escape() – plain text
Xss::filter() – html is allowed
Xss::filterAdmin() – text by admins

20. Test

21. Raise your green card if snippet is secure!
Raise your red card if code has issues!

22. function custom_field_formatter_view(...) {
foreach ($items as $key => $value) {
//...
$element[$key] = array(
'#type' => 'markup',
'#markup' => t('<img src="!src" alt="@alt" />',
array('!src' => $value['src'], ‚$alt’ => $value['alt'])),
);
//...
}
return $element;
}

23. function custom_field_formatter_view(...) {
foreach ($items as $key => $value) {
//...
$element[$key] = array(
'#type' => 'markup',
'#markup' => t('<img src="!src" alt="@alt" />',
array('!src' => $value['src'], ‚$alt’ => $value['alt'])),
);
//...
}
return $element;
}

24. function custom_field_formatter_view(...) {
foreach ($items as $key => $value) {
//...
$element[$key] = array(
'#type' => 'markup',
'#markup' => t('<img src="@src" alt="@alt" />',
array('@src' => $value['src'], ‚$alt’ => $value['alt'])),
);
//...
}
return $element;
}

25. <?php print '<a href="/' . check_url($url) . '">'; ?>

26. <?php print '<a href="/' . check_url($url) . '">'; ?>

27. foreach ($items as $delta => $item) {
$id = $item->getValue()['target_id'];
$content = Drupal::entityTypeManager()
->getStorage($entity_type_id)
->load($id);
$body = $content->get('body_field')->getValue()[0]['value'];
}
$elements[$delta] = array(
'#theme' => 'something_custom',
'#body' => $body,
);
return $elements;

28. foreach ($items as $delta => $item) {
$id = $item->getValue()['target_id'];
$content = Drupal::entityTypeManager()
->getStorage($entity_type_id)
->load($id);
$body = $content->get('body_field')->getValue()[0]['value'];
}
$elements[$delta] = array(
'#theme' => 'something_custom',
'#body' => $body,
);
return $elements;

29. foreach ($items as $delta => $item) {
$id = $item->getValue()['target_id'];
$content = Drupal::entityTypeManager()
->getStorage($entity_type_id)
->load($id);
$body = [
'#type' => 'processed_text',
'#text' => $content->get('body_field')->getValue()[0]['value'],
'#format' => $content->get('body_field')->getValue()[0]['format'], ];
}
$elements[$delta] = array(
'#theme' => 'something_custom',
'#body' => $body,
);
return $elements;

31. Use behat/automated tests.
<script>alert('XSS')</script>
<img src="a" onerror="alert('title')">
Check your filters and user roles.
Do not give too many options to untrusted
users!
Protection against Cross Site Scripting

32. Access Bypass

33. User can access/do something.
Menu items can be defined to be
accessed/denied.
Many access systems: node, entity, field, views...
Access bypass

34. Test II.

35. <?php
$query = db_select('node', 'n')
->fields('n', array('title', 'nid')
->condition('type', 'article');
$result = $query->execute();
?>

36. <?php
$query = db_select('node', 'n')
->fields('n', array('title', 'nid')
->condition('type', 'article');
$result = $query->execute();
?>

37. <?php
$query = db_select('node', 'n')
->fields('n', array('title', 'nid')
->condition('type', 'article')
->addTag('node_access');
$result = $query->execute();
?>

38. mymodule.not_found:
path: '/not-found'
defaults:
_controller: DrupalmymoduleControllerNotFoundController::build404
_title: 'Page not found'
requirements:
_access: 'TRUE'

39. mymodule.not_found:
path: '/not-found'
defaults:
_controller: DrupalmymoduleControllerNotFoundController::build404'
_title: 'Page not found'
requirements:
_access: 'TRUE'

41. Visit node/nid and other urls
Visit anything/%node
Use behat/automated tests.
node_access, entity_access
Menu definitions
user_access for permissions
$query->addTag('node_access')
Protection against Access bypass

42. SQL Injection

43. Unauthorized access to database resources.
Do not trust any user input.
SA-CORE-2014-005 – Highly critical D7 SA
SQL Injection

44. Test III.

45. <?php
$table = 'field_data_' . $field;
$sql = 'SELECT entity_id, bundle, ' . $field . '_linklabel FROM
{' . $table . '} WHERE ' . $field . '_normalized = :phoneno’;
$eid = db_query($sql, array(':phoneno' => $normalized))
->fetchAssoc();
?>

46. <?php
$table = 'field_data_' . $field;
$sql = 'SELECT entity_id, bundle, ' . $field . '_linklabel FROM
{' . $table . '} WHERE ' . $field . '_normalized = :phoneno’;
$eid = db_query($sql, array(':phoneno' => $normalized))
->fetchAssoc();
?>

47. <?php
$query = db_select('field_data_' . $field, 'fdf');
$query->fields('fdf', array('entity_id', 'bundle', $field .
'_linklabel'));
$query->condition('fdf.' . $field . '_normalized',
$normalized);
$eid = $query->execute()->fetchAssoc();
?>

49. Use always drupal Database API!
db_query with :placeholder (deprecated in D8,
in D9 will be removed)
Filter parameters
Check the queries in code.
username' AND 1=1
POST requests by curl
Protection against SQL Injection

50. Test IV.
Ready for some other code?

51. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
// Each iteration, pick a random character from the
// allowable string and append it to the password:
$pass .= $allowable_characters[mt_rand(0, $len)];
}
}
?>

52. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
// Each iteration, pick a random character from the
// allowable string and append it to the password:
$pass .= $allowable_characters[mt_rand(0, $len)];
}
}
?>

53. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
do {
// Find a secure random number within the range needed.
$index = ord(drupal_random_bytes(1));
} while ($index > $len);
$pass .= $allowable_characters[$index];
}
}
?>

54. // custom_module.permissions.yml
administer custom module:
title: 'Bypass access control'
description: 'Allows a user to bypass access control.’
// custom_module.routing.yml
custom_module.settings.form:
path: '/admin/config/custom/settings'
requirements:
_permission: 'administer custom module'

55. // custom_module.permissions.yml
administer custom module:
title: 'Bypass access control'
description: 'Allows a user to bypass access control.’
// custom_module.routing.yml
custom_module.settings.form:
path: '/admin/config/custom/settings'
requirements:
_permission: 'administer custom module'

56. // custom_module.permissions.yml
administer custom module:
title: 'Bypass access control'
description: 'Allows a user to bypass access control.’
restrict access: TRUE
// custom_module.routing.yml
custom_module.settings.form:
path: '/admin/config/custom/settings'
requirements:
_permission: 'administer custom module'

57. // custom_module.routing.yml
custom_module.settings.form:
path: '/admin/config/custom/settings'
requirements:
_permission: 'administer site configuration'

58. // custom_module.routing.yml
custom_module.settings.form:
path: '/admin/config/custom/settings'
requirements:
_permission: 'administer site configuration'

60. Security Improvements

61. *https://events.drupal.org/sites/default/files/slides/pwolanin-2017-09-ways-drupal8-d.pdf
Many ways Drupal 8 is more secure!*
Twig templates for HTML generation
Removed PHP format
Site configuration exportable, versionable
User content entry and filtering improvements
User session and sessio always n ID handling
Automated CSRF token protection
Trusted host patterns enforced for requests
Single statement execution for SQL
Clickjacking protection
Content security policy compatibility with Core Javascript API

62. Learn by Advisories

63. Security advisories are for
 Only stable modules
 No alpha, beta, dev
 d.org hosted projects
@Maintainers: If you are contacted, be supportive! 
Drupal Security Team

65. Hacked!
Security review (simplytest.me)
Password policy
Encrypt
Composer Security Checker
Permission report
Text format reported
Drop Guard
+ PHPCS Drupal BestPractice Sniff
Security related projects

66. SecOSday – Haarlem edition
11 May, 2019

67. Questions?

68. Tatar Balazs Janos
@tatarbj
Thank you!