Let's write secure Drupal code! - DrupalCamp Oslo, 2018
Download as PPTX, PDF1 like300 views
This document summarizes a presentation about writing secure Drupal code. It discusses common vulnerabilities like cross-site scripting, access bypass, and SQL injection. It provides examples of secure and vulnerable code and recommends best practices to prevent vulnerabilities, including input filtering, access control, and automated testing. It also discusses security improvements in Drupal 8 and learning from security advisories.
![foreach ($items as $delta => $item) {
$id = $item->getValue()['target_id'];
$content = Drupal::entityTypeManager()
->getStorage($entity_type_id)
->load($id);
$body = $content->get('body_field')->getValue()[0]['value'];
}
$elements[$delta] = array(
'#theme' => 'something_custom',
'#body' => $body,
);
return $elements;](https://image.slidesharecdn.com/letswritesecuredrupalcodeoslo-181110092805/85/Let-s-write-secure-Drupal-code-DrupalCamp-Oslo-2018-31-320.jpg)
![foreach ($items as $delta => $item) {
$id = $item->getValue()['target_id'];
$content = Drupal::entityTypeManager()
->getStorage($entity_type_id)
->load($id);
$body = $content->get('body_field')->getValue()[0]['value'];
}
$elements[$delta] = array(
'#theme' => 'something_custom',
'#body' => $body,
);
return $elements;](https://image.slidesharecdn.com/letswritesecuredrupalcodeoslo-181110092805/85/Let-s-write-secure-Drupal-code-DrupalCamp-Oslo-2018-32-320.jpg)
![foreach ($items as $delta => $item) {
$id = $item->getValue()['target_id'];
$content = Drupal::entityTypeManager()
->getStorage($entity_type_id)
->load($id);
$body = [
'#type' => 'processed_text',
'#text' => $content->get('body_field')->getValue()[0]['value'],
'#format' => $content->get('body_field')->getValue()[0]['format'], ];
}
$elements[$delta] = array(
'#theme' => 'something_custom',
'#body' => $body,
);
return $elements;](https://image.slidesharecdn.com/letswritesecuredrupalcodeoslo-181110092805/85/Let-s-write-secure-Drupal-code-DrupalCamp-Oslo-2018-33-320.jpg)
![<?php
function mymodule_menu() {
$items['admin/mymodule/settings'] = array(
'title' => 'Settings of my module',
'page callback' => 'drupal_get_form',
'page arguments' => array('mymodule_setting_form'),
'access arguments' => array('administer mymodule'),
'type' => MENU_LOCAL_ACTION,
);
return $items;
}
?>](https://image.slidesharecdn.com/letswritesecuredrupalcodeoslo-181110092805/85/Let-s-write-secure-Drupal-code-DrupalCamp-Oslo-2018-39-320.jpg)
![<?php
function mymodule_menu() {
$items['admin/mymodule/settings'] = array(
'title' => 'Settings of my module',
'page callback' => 'drupal_get_form',
'page arguments' => array('mymodule_setting_form'),
'access arguments' => array('administer mymodule'),
'type' => MENU_LOCAL_ACTION,
);
return $items;
}
?>](https://image.slidesharecdn.com/letswritesecuredrupalcodeoslo-181110092805/85/Let-s-write-secure-Drupal-code-DrupalCamp-Oslo-2018-40-320.jpg)
Let's write secure Drupal code! - DrupalCamp Oslo, 2018
- 1. Let’s write secure Drupal code! Balazs Janos Tatar DrupalCamp Oslo 2018
- 3. Who am I? Tatar Balazs Janos @tatarbj Hungarian, lives in Brussels Works with Drupal since 2007 Provisional Member of Drupal Security Team IT Security Analyst, Drupal Security Correspondent @ EC... And a cat-gif addict
- 5. Are there site builders?
- 7. Demo
- 8. Gist http://bit.ly/oslo_writes_secure_drupal_code
- 20. Client side vulnerability Unfiltered output Never trust any user input. We’ve seen the demo before ;) Cross Site Scripting
- 23. Html::escape() – plain text Xss::filter() – html is allowed Xss::filterAdmin() – text by admins
- 24. Test
- 25. Raise your green card if snippet is secure! Raise your red card if code has issues!
- 26. <?php print '<tr><td>' . check_plain($title) . '</td></tr>'; ?>
- 27. <?php print '<tr><td>' . check_plain($title) . '</td></tr>'; ?>
- 28. <?php print '<a href="/' . check_plain($url) . '">'; ?>
- 29. <?php print '<a href="/' . check_plain($url) . '">'; ?>
- 30. <?php print '<a href="/' . check_url($url) . '">'; ?>
- 31. foreach ($items as $delta => $item) { $id = $item->getValue()['target_id']; $content = Drupal::entityTypeManager() ->getStorage($entity_type_id) ->load($id); $body = $content->get('body_field')->getValue()[0]['value']; } $elements[$delta] = array( '#theme' => 'something_custom', '#body' => $body, ); return $elements;
- 32. foreach ($items as $delta => $item) { $id = $item->getValue()['target_id']; $content = Drupal::entityTypeManager() ->getStorage($entity_type_id) ->load($id); $body = $content->get('body_field')->getValue()[0]['value']; } $elements[$delta] = array( '#theme' => 'something_custom', '#body' => $body, ); return $elements;
- 33. foreach ($items as $delta => $item) { $id = $item->getValue()['target_id']; $content = Drupal::entityTypeManager() ->getStorage($entity_type_id) ->load($id); $body = [ '#type' => 'processed_text', '#text' => $content->get('body_field')->getValue()[0]['value'], '#format' => $content->get('body_field')->getValue()[0]['format'], ]; } $elements[$delta] = array( '#theme' => 'something_custom', '#body' => $body, ); return $elements;
- 35. Use behat/automated tests. <script>alert(‘XSS’)</script> <img src=“a” onerror=“alert(’title’)”> Check your filters and user roles. Do not give too many options to untrusted users! Protection against Cross Site Scripting
- 36. Access Bypass
- 37. User can access/do something. Menu items can be defined to be accessed/denied. Many access systems: node, entity, field, views... Access bypass
- 38. Test II.
- 39. <?php function mymodule_menu() { $items['admin/mymodule/settings'] = array( 'title' => 'Settings of my module', 'page callback' => 'drupal_get_form', 'page arguments' => array('mymodule_setting_form'), 'access arguments' => array('administer mymodule'), 'type' => MENU_LOCAL_ACTION, ); return $items; } ?>
- 40. <?php function mymodule_menu() { $items['admin/mymodule/settings'] = array( 'title' => 'Settings of my module', 'page callback' => 'drupal_get_form', 'page arguments' => array('mymodule_setting_form'), 'access arguments' => array('administer mymodule'), 'type' => MENU_LOCAL_ACTION, ); return $items; } ?>
- 41. <?php $query = db_select('node', 'n') ->fields('n', array('title', 'nid') ->condition('type', 'article'); $result = $query->execute(); ?>
- 42. <?php $query = db_select('node', 'n') ->fields('n', array('title', 'nid') ->condition('type', 'article'); $result = $query->execute(); ?>
- 43. <?php $query = db_select('node', 'n') ->fields('n', array('title', 'nid') ->condition('type', 'article') ->addTag('node_access'); $result = $query->execute(); ?>
- 44. mymodule.not_found: path: '/not-found' defaults: _controller: DrupalmymoduleControllerNotFoundController::build404 _title: 'Page not found' requirements: _access: 'TRUE'
- 45. mymodule.not_found: path: '/not-found' defaults: _controller: DrupalmymoduleControllerNotFoundController::build404' _title: 'Page not found' requirements: _access: 'TRUE'
- 47. Visit node/nid and other urls Visit anything/%node Use behat/automated tests. node_access, entity_access Menu definitions user_access for permissions $query->addTag('node_access') Protection against Access bypass
- 48. SQL Injection
- 49. Unauthorized access to database resources. Do not trust any user input. SA-CORE-2014-005 – Highly critical D7 SA SQL Injection
- 50. Test III.
- 51. <?php $results = db_query("SELECT uid, name, mail FROM {users} WHERE name LIKE '%%$user_search%%'"); ?>
- 52. <?php $results = db_query("SELECT uid, name, mail FROM {users} WHERE name LIKE '%%$user_search%%'"); ?>
- 53. <?php $results = db_query("SELECT uid, name, mail FROM {users} WHERE name LIKE :user_search", array(':user_search' => '%' . db_like($user_search))); ?>
- 55. Use always drupal Database API! db_query with :placeholder (deprecated in D8, in D9 will be removed) Filter parameters Check the queries in code. username' AND 1=1 POST requests by curl Protection against SQL Injection
- 57. *https://events.drupal.org/sites/default/files/slides/pwolanin-2017-09-ways-drupal8-d.pdf Many ways Drupal 8 is more secure! Twig templates for HTML generation Removed PHP format Site configuration exportable, versionable User content entry and filtering improvements User session and sessio always n ID handling Automated CSRF token protection Trusted host patterns enforced for requests Single statement execution for SQL Clickjacking protection Content security policy compatibility with Core Javascript API
- 59. Security advisories are for Only stable modules No alpha, beta, dev d.org hosted modules @Maintainers: If you are contacted, be supportive! . Drupal Security Team
- 61. Hacked! Security review (simplytest.me) Password policy Encrypt Drop Guard Composer Security Checker Permission report Text format reported + PHPCS Drupal BestPractice Sniff Security related contribs
- 62. Questions?
- 63. Tatar Balazs Janos @tatarbj Thank you!