Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
•Download as PPTX, PDF•
2 likes•412 views
This document summarizes a presentation on writing secure Drupal code. It discusses common vulnerabilities like cross-site scripting, access bypass, and SQL injection. It demonstrates how to securely code against these vulnerabilities and recommends using tools like Behat tests, security advisories, and contributing to Drupal to improve security. The presentation encourages writing secure code through sanitizing user input, using database placeholders, and following best practices.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
Similar to Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany (20)
More from Balázs Tatár
More from Balázs Tatár (16)
Recently uploaded
Recently uploaded (20)
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
- 2. Let’s write secure Drupal code! Balazs Janos Tatar
- 3. Drupal + Technology 17/3/2018 TRACK SUPPORTED BY
- 4. Who am I? Tatar Balazs Janos @tatarbj Hungarian, lives in Brussels Works with Drupal since 2007 Provisional Member of Drupal Security Team Technical PM and former QA Lead @ EC-DIGIT
- 6. Are there site builders?
- 8. Demo
- 20. Client side vulnerability Unfiltered output Never trust any user input. We’ve seen the demo before ;) Cross Site Scripting
- 22. Html::escape() – plain text Xss::filter() – html is allowed Xss::filterAdmin() – text by admins
- 23. Test
- 24. Raise your green card if snippet is secure! Raise your red card if code has issues!
- 25. <?php print '<tr><td>' . check_plain($title) . '</td></tr>'; ?>
- 26. <?php print '<tr><td>' . check_plain($title) . '</td></tr>'; ?>
- 27. <?php print '<a href="/' . check_plain($url) . '">'; ?>
- 28. <?php print '<a href="/' . check_plain($url) . '">'; ?>
- 29. <?php print '<a href="/' . check_url($url) . '">'; ?>
- 30. foreach ($items as $delta => $item) { $id = $item->getValue()['target_id']; $content = Drupal::entityTypeManager() ->getStorage($entity_type_id) ->load($id); $body = $content->get('body_field')->getValue()[0]['value']; } $elements[$delta] = array( '#theme' => 'something_custom', '#body' => $body, ); return $elements;
- 31. foreach ($items as $delta => $item) { $id = $item->getValue()['target_id']; $content = Drupal::entityTypeManager() ->getStorage($entity_type_id) ->load($id); $body = $content->get('body_field')->getValue()[0]['value']; } $elements[$delta] = array( '#theme' => 'something_custom', '#body' => $body, ); return $elements;
- 32. foreach ($items as $delta => $item) { $id = $item->getValue()['target_id']; $content = Drupal::entityTypeManager() ->getStorage($entity_type_id) ->load($id); $body = [ '#type' => 'processed_text', '#text' => $content->get('body_field')->getValue()[0]['value'], '#format' => $content->get('body_field')->getValue()[0]['format'], ]; } $elements[$delta] = array( '#theme' => 'something_custom', '#body' => $body, ); return $elements;
- 34. Use behat/automated tests. <script>alert(‘XSS’)</script> <img src=“a” onerror=“alert(’title’)”> Check your filters and user roles. Do not give too many options to untrusted users! Protection against Cross Site Scripting
- 35. Access Bypass
- 36. User can access/do something. Menu items can be defined to be accessed/denied. Many access systems: node, entity, field, views... Access bypass
- 37. Test II.
- 38. <?php function mymodule_menu() { $items['admin/mymodule/settings'] = array( 'title' => 'Settings of my module', 'page callback' => 'drupal_get_form', 'page arguments' => array('mymodule_setting_form'), 'access arguments' => array('administer mymodule'), 'type' => MENU_LOCAL_ACTION, ); return $items; } ?>
- 39. <?php function mymodule_menu() { $items['admin/mymodule/settings'] = array( 'title' => 'Settings of my module', 'page callback' => 'drupal_get_form', 'page arguments' => array('mymodule_setting_form'), 'access arguments' => array('administer mymodule'), 'type' => MENU_LOCAL_ACTION, ); return $items; } ?>
- 40. <?php $query = db_select('node', 'n') ->fields('n', array('title', 'nid') ->condition('type', 'article'); $result = $query->execute(); ?>
- 41. <?php $query = db_select('node', 'n') ->fields('n', array('title', 'nid') ->condition('type', 'article'); $result = $query->execute(); ?>
- 42. <?php $query = db_select('node', 'n') ->fields('n', array('title', 'nid') ->condition('type', 'article') ->addTag('node_access'); $result = $query->execute(); ?>
- 43. mymodule.not_found: path: '/not-found' defaults: _controller: DrupalmymoduleControllerNotFoundController::build404 _title: 'Page not found' requirements: _access: 'TRUE'
- 44. mymodule.not_found: path: '/not-found' defaults: _controller: DrupalmymoduleControllerNotFoundController::build404' _title: 'Page not found' requirements: _access: 'TRUE'
- 46. Visit node/nid and other urls Visit anything/%node Use behat/automated tests. node_access, entity_access Menu definitions user_access for permissions $query->addTag('node_access') Protection against Access bypass
- 47. SQL Injection
- 48. Unauthorized access to database resources. Do not trust any user input. SA-CORE-2014-005 – Highly critical D7 SA SQL Injection
- 49. Test III.
- 50. <?php $results = db_query("SELECT uid, name, mail FROM {users} WHERE name LIKE '%%$user_search%%'"); ?>
- 51. <?php $results = db_query("SELECT uid, name, mail FROM {users} WHERE name LIKE '%%$user_search%%'"); ?>
- 52. <?php $results = db_query("SELECT uid, name, mail FROM {users} WHERE name LIKE :user_search", array(':user_search' => '%' . db_like($user_search))); ?>
- 54. Use always drupal Database API! db_query with :placeholder (deprecated in D8, in D9 will be removed) Filter parameters Check the queries in code. username' AND 1=1 POST requests by curl Protection against SQL Injection
- 56. *https://events.drupal.org/sites/default/files/slides/pwolanin-2017-09-ways-drupal8-d.pdf Many ways Drupal 8 is more secure! Twig templates for HTML generation Removed PHP format Site configuration exportable, versionable User content entry and filtering improvements User session and sessio always n ID handling Automated CSRF token protection Trusted host patterns enforced for requests Single statement execution for SQL Clickjacking protection Content security policy compatibility with Core Javascript API
- 58. Security advisories are for Only stable modules No alpha, beta, dev d.org hosted modules @Maintainers: If you are contacted, be supportive! Drupal Security Team
- 60. Hacked! Security review (simplytest.me) Password policy Encrypt Drop Guard Composer Security Checker Permission report Text format reported + PHPCS Drupal BestPractice Sniff Security related contribs
- 61. Become a Drupal contributor Friday from 9am ● First timers workshop ● Mentored contribution ● General contribution
- 62. Questions?
- 63. Tatar Balazs Janos @tatarbj Thank you!
Editor's Notes
- we can also drop the url here ;)