Let's write secure Drupal code! - DrupalCamp Belarus 2019

LET’S WRITE SECURE DRUPAL
CODE!
TATAR BALAZS JANOS
DRUPALCAMP BELARUS
MINSK, BELARUS – 18.05.2019

Who am I?
Tatar Balazs Janos
@tatarbj
Works with Drupal since 2007
CTO @ Petend
Drupal Security Correspondent @ EC
Active mentor @ Mentoring community group
Provisional member @ Drupal Security Team
SecOSdreamer @ Secure Open Source day

Are there site builders?
Tatar Balazs Janos - @tatarbj

Demo

Gist
https://gist.github.com/tatarbj/4a3ecaece9abc7100baf33fe06934634

Are there developers/maintainers?

Have you attended on a previous Let’s
write secure Drupal code! session?

DrupalCamp Antwerp 2017
DrupalCamp Ruhr 2018
DrupalDevDays 2018
Drupal Europe 2018
DrupalCamp Oslo 2018
DrupalCamp London 2019
Drupal Mountain Camp 2019
DrupalCamp Spain 2019
DrupalCamp Belarus 2019 – New edition!
History

Trends in Security

Types of vulnerabilities

Cross Site Scripting

Client side vulnerability
Unfiltered output
Never trust any user input.
We’ve seen the demo before ;)
Cross Site Scripting

Html::escape() – plain text
Xss::filter() – html is allowed
Xss::filterAdmin() – text by admins

Bingo

Everyone has a bingo card (check your bag!)
If you answer well, mark the number!
Wrong answer = no number!
First who shouts BINGO! wins the price!
Rules and etiquette

Round 1

function custom_field_formatter_view(...) {
foreach ($items as $key => $value) {
//...
$element[$key] = array(
'#type' => 'markup',
'#markup' => t('<img src="!src" alt="@alt" />',
array('!src' => $value['src'], ‚$alt’ => $value['alt'])),
);
//...
}
return $element;
}

function custom_field_formatter_view(...) {
foreach ($items as $key => $value) {
//...
$element[$key] = array(
'#type' => 'markup',
'#markup' => t('<img src="@src" alt="@alt" />',
array('@src' => $value['src'], ‚$alt’ => $value['alt'])),
);
//...
}
return $element;
}

12

<?php print check_plain($body_field); ?>

<?php print check_markup($body_field); ?>

34

<?php print '<a href="/' . check_url($url) . '">'; ?>

4

foreach ($items as $delta => $item) {
$id = $item->getValue()['target_id'];
$content = Drupal::entityTypeManager()
->getStorage($entity_type_id)
->load($id);
$body = $content->get('body_field')->getValue()[0]['value'];
}
$elements[$delta] = array(
'#theme' => 'something_custom',
'#body' => $body,
);
return $elements;

foreach ($items as $delta => $item) {
$id = $item->getValue()['target_id'];
$content = Drupal::entityTypeManager()
->getStorage($entity_type_id)
->load($id);
$body = [
'#type' => 'processed_text',
'#text' => $content->get('body_field')->getValue()[0]['value'],
'#format' => $content->get('body_field')->getValue()[0]['format'], ];
}
$elements[$delta] = array(
'#theme' => 'something_custom',
'#body' => $body,
);
return $elements;

23

Drupal 8 allows Basic HTML to be
used by authenticated users.
?

17

Cross site scripting is a server side
vulnerability.
?

Cross site scripting is a client side
vulnerability.
?

2

User input must be always sanitized.
?

25

Use behat/automated tests.
<script>alert('XSS')</script>
<img src="a" onerror="alert('title')">
Check your filters and user roles.
Do not give too many options to untrusted users!
Protection against Cross Site Scripting

Access Bypass

User can access/do something.
Menu items can be defined to be
accessed/denied.
Many access systems: node, entity, field, views...
Access bypass

Round 2

<?php
$query = db_select('node', 'n')
->fields('n', array('title', 'nid'))
->condition('type', 'article');
$result = $query->execute();
?>

<?php
$query = db_select('node', 'n')
->fields('n', array('title', 'nid')
->condition('type', 'article')
->addTag('node_access');
$result = $query->execute();
?>

29

mymodule.not_found:
path: '/not-found'
defaults:
_controller: DrupalmymoduleControllerNotFoundController::build404
_title: 'Page not found'
requirements:
_access: 'TRUE'

16

All users on Drupal sites belong to at
least 1 user role.
?

22

Restricted permissions make Drupal
sites more secure by calling
restrict_permission() method.
?

Restricted permissions make Drupal
sites more secure by raising
attention on the permission page.
?

6

Drupal 8 allows users to mistype
their passwords unlimited times.
?

Drupal 8 allows users to mistype
their passwords 5 times.
?

9

Visit node/nid and other urls
Visit anything/%node
Use behat/automated tests.
node_access, entity_access
Menu definitions
user_access for permissions
$query->addTag('node_access')
Protection against Access bypass

SQL Injection

Unauthorized access to database resources.
Do not trust any user input.
SA-CORE-2014-005 – Highly critical D7 SA
SQL Injection

Round 3

<?php
$table = 'field_data_' . $field;
$sql = 'SELECT entity_id, bundle, ' . $field . '_linklabel FROM
{' . $table . '} WHERE ' . $field . '_normalized = :phoneno’;
$eid = db_query($sql, array(':phoneno' => $normalized))
->fetchAssoc();
?>

<?php
$query = db_select('field_data_' . $field, 'fdf');
$query->fields('fdf', array('entity_id', 'bundle', $field .
'_linklabel'));
$query->condition('fdf.' . $field . '_normalized',
$normalized);
$eid = $query->execute()->fetchAssoc();
?>

7

<?php
$result = Drupal::database()
->delete('people')
->condition('name', '%_' . $_GET['param'], 'LIKE');
->execute();
?>

<?php
$database = Drupal::database();
$result = $database
->delete('people')
->condition('name', $database->escapeLike($_GET['param']), 'LIKE');
->execute();
?>

31

Single statement execution for SQL
is present in Drupal 8 Database API.
?

24

A highly critical Drupal 8 core update
remediated an SQL injection
vulnerability in 2014.
?

A highly critical Drupal 7 core update
remediated an SQL injection
vulnerability in 2014.
?

15

Use always drupal Database API!
db_query with :placeholder (deprecated in D8,
in D9 will be removed)
Filter parameters
Check the queries in code.
username' AND 1=1
POST requests by curl
Protection against SQL Injection

Round 4
Ready for some other code?

<?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
// Each iteration, pick a random character from the
// allowable string and append it to the password:
$pass .= $allowable_characters[mt_rand(0, $len)];
}
}
?>

<?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
do {
// Find a secure random number within the range needed.
$index = ord(drupal_random_bytes(1));
} while ($index > $len);
$pass .= $allowable_characters[$index];
}
}
?>

8

// custom_module.permissions.yml
administer custom module:
title: 'Bypass access control'
description: 'Allows a user to bypass access control.’
// custom_module.routing.yml
custom_module.settings.form:
path: '/admin/config/custom/settings'
requirements:
_permission: 'administer custom module'

// custom_module.permissions.yml
administer custom module:
title: 'Bypass access control'
description: 'Allows a user to bypass access control.’
restrict access: TRUE
requirements:
_permission: 'administer custom module'

20

requirements:
_permission: 'administer site configuration'

26

OWASP stands for Online Web
Authentication Super Project.
?

OWASP stands for Open Web
Application Security Project.
?

10

XXE stands for XML External
Entities vulnerability.
?

32

SQL Injection is a server side
vulnerability.
?

13

Cross Site Request Forgery
vulnerability is in the TOP10 of
OWASP list from 2017.
?

Cross Site Request Forgery
vulnerability is not in the TOP10 of
OWASP list from 2017, but was in 2013.
?

5

In case of no winner,
extra numbers are coming!
!

18

27

30

1

11

33

Security Improvements

*https://events.drupal.org/sites/default/files/slides/pwolanin-2017-09-ways-drupal8-d.pdf
Many ways Drupal 8 is more secure!*
Twig templates for HTML generation
Removed PHP format
Site configuration exportable, versionable
User content entry and filtering improvements
User session and session always in ID handling
Automated CSRF token protection
Trusted host patterns enforced for requests
Single statement execution for SQL
Clickjacking protection
Content security policy compatibility with Core Javascript API

Learn by Advisories

Security advisories are for
 Only stable modules
 No alpha, beta, dev
 d.org hosted projects
@Maintainers: If you are contacted, be supportive! 
Drupal Security Team

Hacked!
Security review (simplytest.me)
Password policy
Encrypt
Composer Security Checker
Permission report
Drop Guard
Security Awareness programs
+ PHPCS Drupal BestPractice Sniff
Security related projects

https://tiny.cc/DrupalCampByContribute

SecOSdays
25-26 OCTOBER, 2019 - SOFIA, BULGARIA
Call For Sessions and Sponsors are open!

Questions?

Tatar Balazs Janos
@tatarbj
Thank you!

Let's write secure Drupal code! - DrupalCamp Belarus 2019

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Let's write secure Drupal code! - DrupalCamp Belarus 2019

Similar to Let's write secure Drupal code! - DrupalCamp Belarus 2019 (20)

More from Balázs Tatár

More from Balázs Tatár (15)

Recently uploaded

Recently uploaded (20)

Let's write secure Drupal code! - DrupalCamp Belarus 2019

Editor's Notes