Date post: | 08-May-2015 |
Category: |
Technology |
Upload: | drupalcampdn |
View: | 718 times |
Download: | 0 times |
Code ReviewLooking for a vulnerable code
Vlad Savitsky
http://donetsk.drupal.ua
Code ReviewCode ReviewLooking for a vulnerable codeLooking for a vulnerable code
Twitter:
У нас ввели code-review.
– А это как?
– Ну как, сидишь, читаешь код, ревёшь...
http://twitter.com/#!/dallaylaen/status/129887114576920577
OverviewOverview
● Why review code?● Who should do code review?● Code Review or Person Review● How to find a vulnerability?● How to report about security problem?
Why review code?Why review code?
● Increase code quality.● Developers can learn new code.● Learn new code best practices.● To check if code is clear and easy to
understand.● Find vulnerable code.
What you shouldn't review?What you shouldn't review?
● Bugs and mistakes.● Coding Standard compliance.
WhenWhen code codeshould be reviewed?should be reviewed?
● Before merging to trunk.● Easy to review small pieces of code.● Often is better.
WhenWhen code codeshould be reviews?should be reviews?
● Before adding new code to project.● Contrib modules/themes● Custom modules/themes
● Easy to review small pieces of code.● Often is better.
Who should do code review?Who should do code review?
● Team Lead● Other developers
Code Review Code Review or Person Reviewor Person Review
● Developers associate themselves with their code.
● Team Conflicts● Ability to learn best
practices.
Golden RuleGolden Ruleof Code Reviewof Code Review
Do others code review
as you want they
do your code review.
Goal of Code ReviewGoal of Code Review
Perfect code made by
not perfect developers.
How to find a vulnerability?How to find a vulnerability?
Find XSSFind XSS
● Find and inspect theme() functions.● Does t() function used with proper placeholders.● Does check_plain() or theme('placeholder')
used for plain text?● Does check_markup() or filter_xss() used for
markup containing text?
SQL injectionSQL injection
● Bad code:● db_query('SELECT foo FROM {table} t WHERE
t.name = '. $_GET['user']);● Good code:● db_query("SELECT foo FROM {table} t
WHERE t.name = '%s' ", $_GET['user']);● Does Database API used correctly?
Bad smelling codeBad smelling code
● Bad smelling code in most cases should be refactored.
● http://sourcemaking.com/refactoring/bad-smells-in-code
Drupal Security TeamDrupal Security Team
Goals of the security teamGoals of the security team
● Resolve reported security issues.● Provide assistance for contributed module
maintainers in resolving security issues.● Provide documentation on how to write
secure code .● Provide documentation on securing your site
How to reportHow to reporta security issuea security issue
● Do not post in the issue tracker or discuss it in IRC.
● Mail to [email protected]● Provide as many details as you can. At least:
● Drupal version and/or module version.● Steps to reproduce the problem.
● Do not disclose the vulnerability to anyone before the advisory is issued.
● You will be credited in the security announcement
How the security team works How the security team works with issueswith issues
● Review the issue and evaluate the potential impact on all supported releases of Drupal.
● If it is indeed a valid problem, the security team is mobilized to eliminate it.
● New versions are created and tested.● New packages are created and uploaded to
Drupal.org.● When an issue has been fixed, use all available
communication channels to inform users of steps that must be taken to protect themselves.
Issues withIssues withcontributed modulescontributed modules
● The module maintainer is contacted with a deadline.
● When the maintainer fixes the problem, the security team issues an advisory.
● If the maintainer does not fix the problem within the deadline, an advisory is issued, recommending disabling the module and the project on Drupal.org is unpublished.
Happy Code Review!!!Happy Code Review!!!
Questions?Questions?
● Question #1● Question #2● Question #3