Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Let's write secure Drupal code! DUG Belgium - 08/08/2019

128 visualizaciones

Publicado el

Slides of my session called Let's write secure Drupal code! given at Drupal User Group Belgium in Ghent, Belgium on 8 August 2019.

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Let's write secure Drupal code! DUG Belgium - 08/08/2019

  1. 1. LET’S WRITE SECURE DRUPAL CODE! TATAR BALAZS JANOS DRUPAL USER GROUP – DRUPAL BELGIUM GHENT, BELGIUM – 08.08.2019
  2. 2. Who am I? Tatar Balazs Janos @tatarbj Working with Drupal since 2007 CTO @ Petend Drupal Security Correspondent @ European Commission Provisional member @ Drupal Security Team SecOSdreamer @ Secure Open Source days (SecOSdays) Active mentor @ Mentoring community group
  3. 3. TatarBalazsJanos - @tatarbj
  4. 4. Are there site builders? TatarBalazsJanos - @tatarbj
  5. 5. TatarBalazsJanos - @tatarbj
  6. 6. Demo TatarBalazsJanos - @tatarbj
  7. 7. Gist https://gist.github.com/tatarbj/3595fde5c79725a546b558cdbe769cb2 TatarBalazsJanos - @tatarbj
  8. 8. Are there developers/maintainers? TatarBalazsJanos - @tatarbj
  9. 9. Have you attended on a previous Let’s write secure Drupal code! session? TatarBalazsJanos - @tatarbj
  10. 10. DrupalCamp Antwerp 2017 DrupalCamp Ruhr 2018 DrupalDevDays 2018 Drupal Europe 2018 DrupalCamp Oslo 2018 DrupalCamp London 2019 Drupal Mountain Camp 2019 DrupalCamp Spain 2019 DrupalCamp Belarus 2019 DrupalCamp Kyiv 2019 DrupalCamp Poland 2019 DrupalCamp Pannonia 2019 DUG Belgium – August, 2019 History - Homecoming TatarBalazsJanos - @tatarbj
  11. 11. Trends in Security TatarBalazsJanos - @tatarbj
  12. 12. TatarBalazsJanos - @tatarbj
  13. 13. TatarBalazsJanos - @tatarbj
  14. 14. Types of vulnerabilities TatarBalazsJanos - @tatarbj
  15. 15. TatarBalazsJanos - @tatarbj
  16. 16. Cross Site Scripting TatarBalazsJanos - @tatarbj
  17. 17. Client side vulnerability Unfiltered output Never trust any user input. We’ve seen the demo before ;) Cross Site Scripting TatarBalazsJanos - @tatarbj
  18. 18. TatarBalazsJanos - @tatarbj
  19. 19. Html::escape() – plain text Xss::filter() – html is allowed Xss::filterAdmin() – text by admins TatarBalazsJanos - @tatarbj
  20. 20. Bingo TatarBalazsJanos - @tatarbj
  21. 21. Everyone has a bingo card (check your bag!) If you answer well, mark the number! Wrong answer = no number! First who shouts BINGO! wins the price! Rules and etiquette TatarBalazsJanos - @tatarbj
  22. 22. Round 1 TatarBalazsJanos - @tatarbj
  23. 23. function custom_field_formatter_view(...) { foreach ($items as $key => $value) { //... $element[$key] = array( '#type' => 'markup', '#markup' => t('<img src="!src" alt="@alt" />', array('!src' => $value['src'], '$alt' => $value['alt'])), ); //... } return $element; } TatarBalazsJanos - @tatarbj
  24. 24. function custom_field_formatter_view(...) { foreach ($items as $key => $value) { //... $element[$key] = array( '#type' => 'markup', '#markup' => t('<img src="!src" alt="@alt" />', array('!src' => $value['src'], '$alt' => $value['alt'])), ); //... } return $element; } TatarBalazsJanos - @tatarbj
  25. 25. function custom_field_formatter_view(...) { foreach ($items as $key => $value) { //... $element[$key] = array( '#type' => 'markup', '#markup' => t('<img src="@src" alt="@alt" />', array('@src' => $value['src'], '$alt' => $value['alt'])), ); //... } return $element; } TatarBalazsJanos - @tatarbj
  26. 26. 12 TatarBalazsJanos - @tatarbj
  27. 27. foreach ($items as $delta => $item) { $id = $item->getValue()['target_id']; $content = Drupal::entityTypeManager() ->getStorage($entity_type_id) ->load($id); $body = $content->get('body_field')->getValue()[0]['value']; } $elements[$delta] = array( '#theme' => 'something_custom', '#body' => $body, ); return $elements; TatarBalazsJanos - @tatarbj
  28. 28. foreach ($items as $delta => $item) { $id = $item->getValue()['target_id']; $content = Drupal::entityTypeManager() ->getStorage($entity_type_id) ->load($id); $body = $content->get('body_field')->getValue()[0]['value']; } $elements[$delta] = array( '#theme' => 'something_custom', '#body' => $body, ); return $elements; TatarBalazsJanos - @tatarbj
  29. 29. foreach ($items as $delta => $item) { $id = $item->getValue()['target_id']; $content = Drupal::entityTypeManager() ->getStorage($entity_type_id) ->load($id); $body = [ '#type' => 'processed_text', '#text' => $content->get('body_field')->getValue()[0]['value'], '#format' => $content->get('body_field')->getValue()[0]['format'], ]; } $elements[$delta] = array( '#theme' => 'something_custom', '#body' => $body, ); return $elements; TatarBalazsJanos - @tatarbj
  30. 30. 23 TatarBalazsJanos - @tatarbj
  31. 31. In Drupal 7 check_url() calls check_plain() to sanitize bad protocols properly. ? TatarBalazsJanos - @tatarbj
  32. 32. In Drupal 7 check_url() calls check_plain() to sanitize bad protocols properly. ? TatarBalazsJanos - @tatarbj
  33. 33. In Drupal 7 check_url() calls drupal_strip_dangerous_protocols() to sanitize bad protocols properly. ? TatarBalazsJanos - @tatarbj
  34. 34. 25 TatarBalazsJanos - @tatarbj
  35. 35. The <img> HTML tag is bulletproof against Cross Site Scripting vulnerabilities. ? TatarBalazsJanos - @tatarbj
  36. 36. The <img> HTML tag is bulletproof against Cross Site Scripting vulnerabilities. ? TatarBalazsJanos - @tatarbj
  37. 37. The <img> HTML tag is not* bulletproof against Cross Site Scripting vulnerabilities. *it allows attributes to be compromised! ? TatarBalazsJanos - @tatarbj
  38. 38. 34 TatarBalazsJanos - @tatarbj
  39. 39. Drupal 8 allows Full HTML to be used by authenticated and administrator users. ? TatarBalazsJanos - @tatarbj
  40. 40. Drupal 8 allows Full HTML to be used by authenticated and administrator users. ? TatarBalazsJanos - @tatarbj
  41. 41. Drupal 8 allows Full HTML to be used by only administrator users. ? TatarBalazsJanos - @tatarbj
  42. 42. 17 TatarBalazsJanos - @tatarbj
  43. 43. TatarBalazsJanos - @tatarbj
  44. 44. Use behat/automated tests. <script>alert('XSS')</script> <img src="a" onerror="alert('title')"> Check your filters and user roles. Do not give too many options to untrusted users! Protection against Cross Site Scripting TatarBalazsJanos - @tatarbj
  45. 45. Access Bypass TatarBalazsJanos - @tatarbj
  46. 46. User can access/do something. Menu items can be defined to be accessed/denied. Many access systems: node, entity, field, views... Access bypass TatarBalazsJanos - @tatarbj
  47. 47. Round 2 TatarBalazsJanos - @tatarbj
  48. 48. <?php $query = db_select('node', 'n') ->fields('n', array('title', 'nid')) ->condition('type', 'article'); $result = $query->execute(); ?> TatarBalazsJanos - @tatarbj
  49. 49. <?php $query = db_select('node', 'n') ->fields('n', array('title', 'nid')) ->condition('type', 'article'); $result = $query->execute(); ?> TatarBalazsJanos - @tatarbj
  50. 50. <?php $query = db_select('node', 'n') ->fields('n', array('title', 'nid') ->condition('type', 'article') ->addTag('node_access'); $result = $query->execute(); ?> TatarBalazsJanos - @tatarbj
  51. 51. 29 TatarBalazsJanos - @tatarbj
  52. 52. mymodule.not_found: path: '/not-found' defaults: _controller: 'DrupalmymoduleControllerNotFoundController::build404' _title: 'Page not found' requirements: _access: 'TRUE' TatarBalazsJanos - @tatarbj
  53. 53. mymodule.not_found: path: '/not-found' defaults: _controller: 'DrupalmymoduleControllerNotFoundController::build404' _title: 'Page not found' requirements: _access: 'TRUE' TatarBalazsJanos - @tatarbj
  54. 54. 16 TatarBalazsJanos - @tatarbj
  55. 55. Restricted permissions make Drupal sites more secure by calling restrict_permission() method. ? TatarBalazsJanos - @tatarbj
  56. 56. Restricted permissions make Drupal sites more secure by calling restrict_permission() method. ? TatarBalazsJanos - @tatarbj
  57. 57. Restricted permissions make Drupal sites more secure by raising attention on the permission page. ? TatarBalazsJanos - @tatarbj
  58. 58. 6 TatarBalazsJanos - @tatarbj
  59. 59. A standard Drupal 8 allows users to mistype their passwords 3 times. ? TatarBalazsJanos - @tatarbj
  60. 60. A standard Drupal 8 allows users to mistype their passwords 3 times. ? TatarBalazsJanos - @tatarbj
  61. 61. A standard Drupal 8 allows users to mistype their passwords 5 times. ? TatarBalazsJanos - @tatarbj
  62. 62. 9 TatarBalazsJanos - @tatarbj
  63. 63. TatarBalazsJanos - @tatarbj
  64. 64. Visit node/nid and other urls Visit anything/%node Use behat/automated tests. node_access, entity_access Menu definitions user_access for permissions $query->addTag('node_access') Protection against Access bypass TatarBalazsJanos - @tatarbj
  65. 65. SQL Injection TatarBalazsJanos - @tatarbj
  66. 66. Unauthorized access to database resources. Do not trust any user input. SA-CORE-2014-005 – Highly critical D7 SA SQL Injection TatarBalazsJanos - @tatarbj
  67. 67. Round 3 TatarBalazsJanos - @tatarbj
  68. 68. <?php $result = Drupal::database() ->delete('people') ->condition('name', '%_' . $_GET['param'], 'LIKE'); ->execute(); ?> TatarBalazsJanos - @tatarbj
  69. 69. <?php $result = Drupal::database() ->delete('people') ->condition('name', '%_' . $_GET['param'], 'LIKE'); ->execute(); ?> TatarBalazsJanos - @tatarbj
  70. 70. <?php $database = Drupal::database(); $result = $database ->delete('people') ->condition('name', $database->escapeLike($_GET['param']), 'LIKE'); ->execute(); ?> TatarBalazsJanos - @tatarbj
  71. 71. 31 TatarBalazsJanos - @tatarbj
  72. 72. A highly critical Drupal 7 core update remediated a Remote code execution vulnerability in 2014. ? TatarBalazsJanos - @tatarbj
  73. 73. A highly critical Drupal 7 core update remediated a Remote code execution vulnerability in 2014. ? TatarBalazsJanos - @tatarbj
  74. 74. A highly critical Drupal 7 core update remediated an SQL injection vulnerability in 2014. ? TatarBalazsJanos - @tatarbj
  75. 75. 15 TatarBalazsJanos - @tatarbj
  76. 76. SQL Injection is a server side vulnerability. ? TatarBalazsJanos - @tatarbj
  77. 77. SQL Injection is a server side vulnerability. ? TatarBalazsJanos - @tatarbj
  78. 78. 13 TatarBalazsJanos - @tatarbj
  79. 79. TatarBalazsJanos - @tatarbj
  80. 80. Use always drupal Database API! db_query with :placeholder (deprecated in D8, in D9 will be removed) Filter parameters Check the queries in code. username' AND 1=1 POST requests by curl Protection against SQL Injection TatarBalazsJanos - @tatarbj
  81. 81. Round 4 Ready for some other code? TatarBalazsJanos - @tatarbj
  82. 82. <?php function _generate_password($length = 8) { $pass = ''; $allowable_characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHJKLMNOPQRSTUVWXYZ0123456789()`~!@#$% ^&*-+=|{}[]:;"'<>,.?/'; $len = drupal_strlen($allowable_characters) – 1; for ($i = 0; $i < $length; $i++) { // Each iteration, pick a random character from the // allowable string and append it to the password: $pass .= $allowable_characters[mt_rand(0, $len)]; } } ?> TatarBalazsJanos - @tatarbj
  83. 83. <?php function _generate_password($length = 8) { $pass = ''; $allowable_characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHJKLMNOPQRSTUVWXYZ0123456789()`~!@#$% ^&*-+=|{}[]:;"'<>,.?/'; $len = drupal_strlen($allowable_characters) – 1; for ($i = 0; $i < $length; $i++) { // Each iteration, pick a random character from the // allowable string and append it to the password: $pass .= $allowable_characters[mt_rand(0, $len)]; } } ?> TatarBalazsJanos - @tatarbj
  84. 84. <?php function _generate_password($length = 8) { $pass = ''; $allowable_characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHJKLMNOPQRSTUVWXYZ0123456789()`~!@#$% ^&*-+=|{}[]:;"'<>,.?/'; $len = drupal_strlen($allowable_characters) – 1; for ($i = 0; $i < $length; $i++) { do { // Find a secure random number within the range needed. $index = ord(drupal_random_bytes(1)); } while ($index > $len); $pass .= $allowable_characters[$index]; } } ?> TatarBalazsJanos - @tatarbj
  85. 85. 8 TatarBalazsJanos - @tatarbj
  86. 86. // custom_module.permissions.yml administer custom module: title: 'Bypass access control' description: 'Allows a user to bypass access control.’ // custom_module.routing.yml custom_module.settings.form: path: '/admin/config/custom/settings' requirements: _permission: 'administer custom module' TatarBalazsJanos - @tatarbj
  87. 87. // custom_module.permissions.yml administer custom module: title: 'Bypass access control' description: 'Allows a user to bypass access control.’ // custom_module.routing.yml custom_module.settings.form: path: '/admin/config/custom/settings' requirements: _permission: 'administer custom module' TatarBalazsJanos - @tatarbj
  88. 88. // custom_module.permissions.yml administer custom module: title: 'Bypass access control' description: 'Allows a user to bypass access control.’ restrict access: TRUE // custom_module.routing.yml custom_module.settings.form: path: '/admin/config/custom/settings' requirements: _permission: 'administer custom module' TatarBalazsJanos - @tatarbj
  89. 89. 20 TatarBalazsJanos - @tatarbj
  90. 90. // contrib_module.routing.yml contrib_module.settings.form: path: '/admin/config/contrib/settings' requirements: _permission: 'administer site configuration' TatarBalazsJanos - @tatarbj
  91. 91. // contrib_module.routing.yml contrib_module.settings.form: path: '/admin/config/contrib/settings' requirements: _permission: 'administer site configuration' TatarBalazsJanos - @tatarbj
  92. 92. 26 TatarBalazsJanos - @tatarbj
  93. 93. The Drupal core security release window is every 1st Wednesdays of each month. ? TatarBalazsJanos - @tatarbj
  94. 94. The Drupal core security release window is every 1st Wednesdays of each month. ? TatarBalazsJanos - @tatarbj
  95. 95. The Drupal core security release window is every 3rd Wednesdays of each month. ? TatarBalazsJanos - @tatarbj
  96. 96. 32 TatarBalazsJanos - @tatarbj
  97. 97. Over 10% of all Drupal Security advisories are already publicly exploited. ? TatarBalazsJanos - @tatarbj
  98. 98. Over 10% of all Drupal Security advisories are already publicly exploited. ? TatarBalazsJanos - @tatarbj
  99. 99. Less then 1%* of all Drupal Security advisories are already publicly exploited. *before they are announced! ? TatarBalazsJanos - @tatarbj
  100. 100. 11 TatarBalazsJanos - @tatarbj
  101. 101. Cross Site Scripting vulnerability is in the TOP3 of OWASP list from 2017. ? TatarBalazsJanos - @tatarbj
  102. 102. Cross Site Scripting vulnerability is in the TOP3 of OWASP list from 2017. ? TatarBalazsJanos - @tatarbj
  103. 103. Cross Site Scripting vulnerability is not in the TOP3 of OWASP list from 2017, but was in 2013. ? TatarBalazsJanos - @tatarbj
  104. 104. 21 TatarBalazsJanos - @tatarbj
  105. 105. In case of no winner, extra numbers are coming! ! TatarBalazsJanos - @tatarbj
  106. 106. 7 TatarBalazsJanos - @tatarbj
  107. 107. 18 TatarBalazsJanos - @tatarbj
  108. 108. 27 TatarBalazsJanos - @tatarbj
  109. 109. 30 TatarBalazsJanos - @tatarbj
  110. 110. 1 TatarBalazsJanos - @tatarbj
  111. 111. 10 TatarBalazsJanos - @tatarbj
  112. 112. 33 TatarBalazsJanos - @tatarbj
  113. 113. 19 TatarBalazsJanos - @tatarbj
  114. 114. 3 TatarBalazsJanos - @tatarbj
  115. 115. 28 TatarBalazsJanos - @tatarbj
  116. 116. 22 TatarBalazsJanos - @tatarbj
  117. 117. 4 TatarBalazsJanos - @tatarbj
  118. 118. 35 TatarBalazsJanos - @tatarbj
  119. 119. 2 TatarBalazsJanos - @tatarbj
  120. 120. 14 TatarBalazsJanos - @tatarbj
  121. 121. TatarBalazsJanos - @tatarbj
  122. 122. Security Improvements TatarBalazsJanos - @tatarbj
  123. 123. *https://events.drupal.org/sites/default/files/slides/pwolanin-2017-09-ways-drupal8-d.pdf Many ways Drupal 8 is more secure!* Twig templates for HTML generation Removed PHP format Site configuration exportable, versionable User content entry and filtering improvements User session and session always in ID handling Automated CSRF token protection Trusted host patterns enforced for requests Single statement execution for SQL Clickjacking protection Content security policy compatibility with Core Javascript API TatarBalazsJanos - @tatarbj
  124. 124. Learn by Advisories TatarBalazsJanos - @tatarbj
  125. 125. Security advisories are for  Only stable modules  No alpha, beta, dev  d.org hosted projects @Maintainers: If you are contacted, be supportive!  Drupal Security Team TatarBalazsJanos - @tatarbj
  126. 126. TatarBalazsJanos - @tatarbj
  127. 127. Hacked! Security review (simplytest.me) Password policy Encrypt Composer Security Checker Permission report Drop Guard Security Awareness programs + PHPCS Drupal BestPractice Sniff Security related projects TatarBalazsJanos - @tatarbj
  128. 128. SecOSdays 25-26 October 2019 – Sofia, Bulgaria https://secosday.eu Call For Sessions and Sponsors are open! Tatar Balazs Janos - @tatarbj
  129. 129. Questions? TatarBalazsJanos - @tatarbj
  130. 130. Tatar Balazs Janos @tatarbj Thank you!

×