Slides of the Drupal security related session at DrupalCamp Oslo - 10 November 2018.

1. Let’s write secure Drupal code!
Balazs Janos Tatar
DrupalCamp Oslo 2018

2. Thanks Sponsors!

3. Who am I?
Tatar Balazs Janos
@tatarbj
Hungarian, lives in Brussels
Works with Drupal since 2007
Provisional Member of Drupal Security Team
IT Security Analyst, Drupal Security
Correspondent @ EC... And a cat-gif addict

5. Are there site builders?

7. Demo

8. Gist
http://bit.ly/oslo_writes_secure_drupal_code

9. Are there developers/maintainers?

10. Trends in Security

17. Types of vulnerabilities

19. Cross Site Scripting

20. Client side vulnerability
Unfiltered output
Never trust any user input.
We’ve seen the demo before ;)
Cross Site Scripting

23. Html::escape() – plain text
Xss::filter() – html is allowed
Xss::filterAdmin() – text by admins

24. Test

25. Raise your green card if snippet is secure!
Raise your red card if code has issues!

26. <?php print '<tr><td>' . check_plain($title) . '</td></tr>'; ?>

27. <?php print '<tr><td>' . check_plain($title) . '</td></tr>'; ?>

28. <?php print '<a href="/' . check_plain($url) . '">'; ?>

29. <?php print '<a href="/' . check_plain($url) . '">'; ?>

30. <?php print '<a href="/' . check_url($url) . '">'; ?>

31. foreach ($items as $delta => $item) {
$id = $item->getValue()['target_id'];
$content = Drupal::entityTypeManager()
->getStorage($entity_type_id)
->load($id);
$body = $content->get('body_field')->getValue()[0]['value'];
}
$elements[$delta] = array(
'#theme' => 'something_custom',
'#body' => $body,
);
return $elements;

32. foreach ($items as $delta => $item) {
$id = $item->getValue()['target_id'];
$content = Drupal::entityTypeManager()
->getStorage($entity_type_id)
->load($id);
$body = $content->get('body_field')->getValue()[0]['value'];
}
$elements[$delta] = array(
'#theme' => 'something_custom',
'#body' => $body,
);
return $elements;

33. foreach ($items as $delta => $item) {
$id = $item->getValue()['target_id'];
$content = Drupal::entityTypeManager()
->getStorage($entity_type_id)
->load($id);
$body = [
'#type' => 'processed_text',
'#text' => $content->get('body_field')->getValue()[0]['value'],
'#format' => $content->get('body_field')->getValue()[0]['format'], ];
}
$elements[$delta] = array(
'#theme' => 'something_custom',
'#body' => $body,
);
return $elements;

35. Use behat/automated tests.
<script>alert(‘XSS’)</script>
<img src=“a” onerror=“alert(’title’)”>
Check your filters and user roles.
Do not give too many options to
untrusted users!
Protection against Cross Site Scripting

36. Access Bypass

37. User can access/do something.
Menu items can be defined to be
accessed/denied.
Many access systems: node, entity,
field, views...
Access bypass

38. Test II.

39. <?php
function mymodule_menu() {
$items['admin/mymodule/settings'] = array(
'title' => 'Settings of my module',
'page callback' => 'drupal_get_form',
'page arguments' => array('mymodule_setting_form'),
'access arguments' => array('administer mymodule'),
'type' => MENU_LOCAL_ACTION,
);
return $items;
}
?>

40. <?php
function mymodule_menu() {
$items['admin/mymodule/settings'] = array(
'title' => 'Settings of my module',
'page callback' => 'drupal_get_form',
'page arguments' => array('mymodule_setting_form'),
'access arguments' => array('administer mymodule'),
'type' => MENU_LOCAL_ACTION,
);
return $items;
}
?>

41. <?php
$query = db_select('node', 'n')
->fields('n', array('title', 'nid')
->condition('type', 'article');
$result = $query->execute();
?>

42. <?php
$query = db_select('node', 'n')
->fields('n', array('title', 'nid')
->condition('type', 'article');
$result = $query->execute();
?>

43. <?php
$query = db_select('node', 'n')
->fields('n', array('title', 'nid')
->condition('type', 'article')
->addTag('node_access');
$result = $query->execute();
?>

44. mymodule.not_found:
path: '/not-found'
defaults:
_controller: DrupalmymoduleControllerNotFoundController::build404
_title: 'Page not found'
requirements:
_access: 'TRUE'

45. mymodule.not_found:
path: '/not-found'
defaults:
_controller: DrupalmymoduleControllerNotFoundController::build404'
_title: 'Page not found'
requirements:
_access: 'TRUE'

47. Visit node/nid and other urls
Visit anything/%node
Use behat/automated tests.
node_access, entity_access
Menu definitions
user_access for permissions
$query->addTag('node_access')
Protection against Access bypass

48. SQL Injection

49. Unauthorized access to database
resources.
Do not trust any user input.
SA-CORE-2014-005 – Highly critical D7
SA
SQL Injection

50. Test III.

51. <?php
$results = db_query("SELECT uid, name, mail FROM {users}
WHERE name LIKE '%%$user_search%%'");
?>

52. <?php
$results = db_query("SELECT uid, name, mail FROM {users}
WHERE name LIKE '%%$user_search%%'");
?>

53. <?php
$results = db_query("SELECT uid, name, mail FROM {users}
WHERE name LIKE :user_search",
array(':user_search' => '%' . db_like($user_search)));
?>

55. Use always drupal Database API!
db_query with :placeholder (deprecated in D8, in D9 will
be removed)
Filter parameters
Check the queries in code.
username' AND 1=1
POST requests by curl
Protection against SQL Injection

56. Security Improvements

57. *https://events.drupal.org/sites/default/files/slides/pwolanin-2017-09-ways-drupal8-d.pdf
Many ways Drupal 8 is more secure!
Twig templates for HTML generation
Removed PHP format
Site configuration exportable, versionable
User content entry and filtering improvements
User session and sessio always n ID handling
Automated CSRF token protection
Trusted host patterns enforced for requests
Single statement execution for SQL
Clickjacking protection
Content security policy compatibility with Core Javascript API

58. Learn by Advisories

59. Security advisories are for
Only stable modules
No alpha, beta, dev
d.org hosted modules
@Maintainers: If you are contacted, be supportive! .
Drupal Security Team

61. Hacked!
Security review (simplytest.me)
Password policy
Encrypt
Drop Guard
Composer Security Checker
Permission report
Text format reported
+ PHPCS Drupal BestPractice Sniff
Security related contribs

62. Questions?

63. Tatar Balazs Janos
@tatarbj
Thank you!