The document outlines the security framework of Odoo, detailing measures the security team implements to protect against vulnerabilities, with a focus on compliance with OWASP top 10 threats. It highlights common coding mistakes made by developers and emphasizes improved security features implemented in newer versions of the platform. The document encourages developers to engage with the security team for any inquiries or issues related to application security.

1. SAFER Odoo Code
Olivier Dony
Platform & Security
security@odoo.com - @odony
2017
EXPERIENCE
and the pursuit thereof...

2. GOALS.
1. Word about our security team
2. Framework security features
3. Evolutions
4. Recap of common mistakes

3. GOAL.
A word about the Odoo security team

4. MISSIONS
Single point of contact - security@odoo.com
Priority answer (~24h)
Disclosure process & policy
odoo.com/security-report
Questions, audit reviews, bugs,...
Internal reviews (transversal)
Raising awareness
Security Advisories (CVEs)

5. Launch
Year after year...

6. 150+ TICKETS
Self-XSS
FALSEPOSITIVE
DKIM/DMARC
Policy
SSL modulus
Version discl.
Unexploitable
XSS
XSS
Broken
authentication
Code Exec.
REALTHREAT
Phishing
Path discl.
Audit
review
This year...

7. The visible parts of
the iceberg

8. Our heroes...

9. GOAL.
Framework security features

10. THE SECURITY
MODEL Business
Data
DATA
ACCESS
LAYER
ACCESS CONTROL
Groups
ACL
Rules
ODOO
APPS

11. OWASP Top 10
The Odoo framework is
designed to help developers
avoid those common pitfalls
OWASP Top 10 (2013)
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards

12. OWASP Top 10
The Odoo framework is
designed to help developers
avoid those common pitfalls
OWASP Top 10 (2013)
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards

13. OWASP Top 10
The Odoo framework is
designed to help developers
avoid those common pitfalls
OWASP Top 10 (2013)
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
High level query primitives

14. OWASP Top 10
The Odoo framework is
designed to help developers
avoid those common pitfalls
OWASP Top 10 (2013)
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
High level query primitives
Built-in sessions

15. OWASP Top 10
The Odoo framework is
designed to help developers
avoid those common pitfalls
OWASP Top 10 (2013)
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
High level query primitives
Built-in sessions
High-level templ. language

16. OWASP Top 10
The Odoo framework is
designed to help developers
avoid those common pitfalls
OWASP Top 10 (2013)
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
High level query primitives
Built-in sessions
High-level templ. language
CRUD-level access control

17. OWASP Top 10
The Odoo framework is
designed to help developers
avoid those common pitfalls
OWASP Top 10 (2013)
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
High level query primitives
Built-in sessions
High-level templ. language
CRUD-level access control
CRUD-level access control

18. OWASP Top 10
The Odoo framework is
designed to help developers
avoid those common pitfalls
OWASP Top 10 (2013)
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
High level query primitives
Built-in sessions
High-level templ. language
CRUD-level access control
CRUD-level access control
CSRF protection for forms

19. OWASP Top 10
The Odoo framework is
designed to help developers
avoid those common pitfalls
OWASP Top 10 (2013)
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
High level query primitives
Built-in sessions
High-level templ. language
CRUD-level access control
CRUD-level access control
CSRF protection for forms
Reduced sets of deps.

20. GOAL.
Highlight framework security-related evolutions

21. Extra security logs

22. HTTP-only session
cookies

23. Encrypted master
password*
*hashed, of course (PBKDF2-SHA512)

24. Database manager can be deactivated
RPC calls blocked too!
--no-database-list
will now block access to
database management
screens

25. Encrypted database connections (tcp)
SSL mode Eavesdrop MITM
disable / /
allow ? /
prefer ? /
require OK /
verify-ca OK ~OK
verify-full OK OK

26. No more Pickle!
Welcome JSON!

27. Restricted system parameters
Admin-only
access!

28. Hardened access rights on internal data
Odoo 10 Odoo 11

29. GOAL.
Recap of common coding mistakes

30. GOAL.MISTAKE #1: using eval to parse text
It breaks the barrier between code and data

31. GOAL.MISTAKE #1: using eval to parse text
There are smarter and safer ways to parse literals
Language Data type Suitable parser
Python int, float, etc. int(), float()
Javascript int, float, etc. parseInt(), parseFloat()
Python dict json.loads(), ast.literal_eval()
Javascript object JSON.parse()
... ... ...

32. GOAL.MISTAKE #1: using eval to parse text
And when you must
eval(), be doubly careful
Custom piece
of logic
Parametrized
rendering
User-
provided
data
Worried developer

33. GOAL.MISTAKE #2: handcrafted SQL
It’s easy to get it wrong

34. GOAL.MISTAKE #2: handcrafted SQL
It’s easy to get it wrong
Nope, you
can’t do that

35. GOAL.MISTAKE #2: handcrafted SQL
It’s easy to get it wrong
Separate
code vs
parameters

36. GOAL.MISTAKE #3: XSS vectors
t-esc=”task.name“ t-raw=”task.name“ t-raw=”sanitized_body“
YES! ☺ NO! 😠 MAYBE… ☹
t-field=”task.name“
<span t-field=”task.name”
t-attf-class=”o_task_{{task.state}}“
/>
task_cls = ‘o_task_%s‘ %
task.state
task = ‘<span class=”%s”/>%s’ % (
task_cls, task.name
)
...
<span t-raw=”task“/>
task_cls = ‘o_task_%s‘ %
escape(task.state)
task = ‘<span class=”%s”/>%s’ % (
task_cls, escape(task.name)
)
...
<span t-raw=”task“/>

37. MISTAKE #4: careless sudo usage
Keep the sudo scope as limited
as possible
Review 2x all calls done as
super-user, watch out for leaked
objects and side-effects

38. And there's more...
Other examples and explanations
in "Top 10 rules" talk from Odoo
Experience 2016.
https://www.odoo.com/r/h3s

39. TAKEAWAYS.
The framework tries to protect you from harm...
as long as you don’t bypass the protections!
And it's improving year after year…
Get in touch with us whenever you have security
questions… security@odoo.com

40. SAFER Odoo Code
Olivier Dony
Platform & Security
security@odoo.com
2017
EXPERIENCE
and the pursuit thereof...
Photos credits:
https://www.flickr.com/photos/steve_rider/
https://www.flickr.com/photos/ericprunier/
https://www.flickr.com/photos/jezbags/
https://www.flickr.com/photos/150472095@N05/
https://www.flickr.com/photos/loosetrucks/