LFI and RCE protection guidelines #2580
Conversation
LFI and RCE protection guidelines
|
|
|
@buskamuza, please review the LFI and RCE guidelines that @kalpmehta added. |
| @@ -707,7 +707,7 @@ class SampleEventObserverThatModifiesInputs | |||
|
|
|||
| 15.1. Use prepared statements for SQL queries. | |||
|
|
|||
| 15.2. Broken Authentication protection. | |||
| ###15.2. Broken Authentication protection. | |||
There was a problem hiding this comment.
@kalpmehta, you need to remove all of the hashtags that you added. They're rendering as plaintext in the HTML.
|
@jeff-matthews that's weird, removed all the hashtags as requested. |
| @@ -761,6 +761,18 @@ class SampleEventObserverThatModifiesInputs | |||
|
|
|||
| 15.8. Frequently update the third-party libraries used in the project/component to eliminate known vulnerabilities. | |||
|
|
|||
| 15.9. LFI protection. | |||
There was a problem hiding this comment.
Please include abbreviation explanation, as in "13. Command line interface (CLI)".
|
|
||
| 15.10. RCE protection. | ||
|
|
||
| 15.10.1. SHOULD avoid usage of eval(), passthru(), system(), shell_exec() |
There was a problem hiding this comment.
We also do not recommend usage of unserialize, srand, mt_srand, md5 (see https://github.com/magento/magento2/blob/2.2-develop/dev/tests/static/testsuite/Magento/Test/Legacy/_files/security/unsecure_php_functions.php)
There was a problem hiding this comment.
We should rephrase 15.10.1 for clarity.
SHOULD NOT use eval(), passthru(), system, shell_exec().
There was a problem hiding this comment.
thanks @buskamuza for that.
@szurek sure, totally makes sense.
|
@szurek, @melnikovi , @paliarush , @akaplya , @DrewML , please review. |
jeff-matthews
requested review from
szurek,
akaplya,
DrewML,
melnikovi and
paliarush
| 15.10.1. SHOULD avoid usage of eval(), passthru(), system(), shell_exec() | ||
|
|
||
| 15.10.2. SHOULD NOT directly pass user-submitted values to include*(), require*(), create_function(), fopen(), preg_replace() | ||
|
|
||
| <!-- LINKS: DEFINITIONS AND ADDRESSES --> |
There was a problem hiding this comment.
Can we add that we recommend using readonly filesystem? Ability to modify files can lead to many different attacks. Maybe in a new section, since it's more general?
There was a problem hiding this comment.
Readonly filesystem is not something implemented on the application level, so there is nothing (except validation) developers can do to follow the requirement.
| 15.10.1. SHOULD avoid usage of eval(), passthru(), system(), shell_exec() | ||
|
|
||
| 15.10.2. SHOULD NOT directly pass user-submitted values to include*(), require*(), create_function(), fopen(), preg_replace() | ||
|
|
There was a problem hiding this comment.
I'd recommend adding:
15.10.3. SHOULD NOT use user-submitted data for variable functions.
Maybe a better way to phrase this? I'm referring to $userParam($userData);
There was a problem hiding this comment.
@szurek nice addition. Just added.
| 15.10.1. SHOULD NOT use eval(), passthru(), system(), shell_exec(), serialize(), unserialize(), md5(), srand(), mt_srand() | ||
|
|
||
| 15.10.2. SHOULD NOT directly pass user-submitted values to include*(), require*(), create_function(), fopen(), preg_replace() | ||
|
|
||
| <!-- LINKS: DEFINITIONS AND ADDRESSES --> |
There was a problem hiding this comment.
@kalpmehta what do you think about adding that we recommend using readonly filesystem? Ability to modify files can lead to many different attacks. Maybe in a new section, since it's more general?
There was a problem hiding this comment.
Agree it's best as per security to only allow read-only file access. I was wondering what if some extension or custom development needs file write operations as well. There should not be any issues as long as user-submitted values are not passed to these functions.
There was a problem hiding this comment.
If extension needs to write/modify files, these files should be located in directories application not trying to include/execute files from (pub/media, var). It's very tricky as sometimes attacks because possible as combination of multiple vulnerabilities.
|
|
||
| 15.10. Remote Code Execution (RCE) protection. | ||
|
|
||
| 15.10.1. SHOULD NOT use eval(), passthru(), system(), shell_exec(), serialize(), unserialize(), md5(), srand(), mt_srand() |
There was a problem hiding this comment.
We already have most of the functions from 15.10.1 prohibited by our static tests. @melnikovi, in scope of CR automation initiative, could you please double check if any of these are not covered yet.
@kalpmehta If we make sure that all these functions are covered by static tests, does it make sense to have this section?
There was a problem hiding this comment.
@paliarush I think it makes sense to list all the unsecure functions so that any engineer who comes to refer these guidelines becomes aware of not using those functions at all. This would also be useful to engineers/architects who does manual code reviews or writes code without running tests. However, I am open to remove that section if you think so!
There was a problem hiding this comment.
Yes, the section itself makes sense. Though in the future we'd like to cover as many as possible with automated tests.
|
✅ review passed from architecture side. Great addition to the guidelines! |
jeff-matthews
added
Major Update
jeff-matthews
added
the
Technical
|
@jeff-matthews please add |
12 12 integration
LFI and RCE protection guidelines. Also formatted Security Guidelines.
This PR is a:
Summary
Includes LFI and RCE protection guidelines.
whatsnew
Added local file inclusion (LFI) and remote code execution (RCE) protection guidelines to the Code Magento Standards.