Secure Code Review

Events happening in the community are now at Drupal community events on www.drupal.org.
You are viewing a wiki page. You are welcome to join the group and then edit it. Be bold!
Posted by solotandem on July 13, 2011 at 5:13pm
Last updated by solotandem on Wed, 2011年08月17日 15:04

Project page: Secure Code Review
Student: Jim Berry (solotandem)
Mentor: Greg Knaddison (greggles)

Project Status

Done

  • reviewed and summarized the patterns in recent security announcements (see this issue)
  • restructured the project files to accommodate Drupal version-specific reviews
  • implemented initial form api review focusing on '#title', '#description', and '#default_value' items

July 27

  • implemented initial theme review with theme('table', ...) calls (see third item mentioned in link above)
  • this provides a pattern that can be extended to other core theme functions (known to expect sanitized input)
  • the review code

    • evaluates the parameters in a call to theme('table', ...)
    • for each parameter that is a variable, it traverses the body of the function looking for assignments to the variables
    • the traversal includes all other assignments related to that variable
    • evaluates each assignment value using the secure_text_review routine
    • for example, in the sample function below with theme('table', ...) call, the $xss_title and $xss_description variables used in $header assignments (multiple headers are for testing only) are resolved to the string assignments at the beginning of the function
<?php
function theme_example_table_1($form) {
$xss_title = '<a href=xss.com>xss vulnerable title</a>';
$xss_description = '<a href=xss.com>xss vulnerable description</a>';

$rows = array();
foreach (
element_children($form) as $key) {
$template = &$form[$key];
$row = array();
$row[] = check_plain($template['name']);
$row[] = drupal_render($template['desc']);
$row[] = drupal_render($template['module']);
$row[] = array('data' => $template['status']['#value'], 'class' => 'status');
$row[] = array('data' => check_plain($template['status']['#value']), 'class' => 'status');
$rows[] = array('data' => $row, 'class' => $template['status']['#class']);
}
$header = array(t('Name'), t('Description'), t('Module'), t('Status'));
$header = array(t('Name'), t('Description'), t('Module'), t('Status'), $xss_title);
$header[] = array('data' => $xss_description);
$header[] = $xss_description;

$caption = $xss_title;
$output .= theme('table', $header, $rows, array(), $caption);

return
$output;
}
?>

August 10

  • revise logging to

    • produce machine readable output (JSON format)
    • utilize severity level toggles (pass, fail, unknown)
  • clean up log messages; utilize new logging format

  • add constants and setting for secure_code_review_log_level
  • display settings form using vertical tabs.

August 17

  • catalog counts of theme() calls by theme function in D6 and D7
  • apply the code pattern to other core theme functions (known to expect sanitized input)

    • item_list

Current

  • apply the code pattern to other core theme functions (known to expect sanitized input)
  • revise logging to

    • produce machine readable output (JSON or XML format)
    • utilize some type of severity level toggles (e.g., only log errors, etc.)

Future

  • after that, attempt to review custom theme functions (i.e. those defined by a contributed module) to determine assumptions about sanitized input
  • from the prior step, utilize the theme review code pattern with the custom theme functions
  • extend all text reviews to search the code block for assignments to the variable being reviewed
  • this affects the form api review and others written last year

Google Summer of Code 2011

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

AltStyle によって変換されたページ (->オリジナル) /