Security: Odoo Code Hardening

Odoo Code Hardening
- Security -

Knowledge and
mindset are key.

Security Model
Business
Data
RBAC = Groups + ACL + Rules
Apps / Business Logic
Access
Control

A1. Injection A6. Security Misconfiguration
A2. Broken Authentication A7. Cross-Site Scripting (XSS)
A3. Sensitive Data Exposure A8. Insecure Deserialization
A4. XML External Entities (XXE) A9. Vulnerable Components
A5. Broken Access Control A10. Insufficient Logging
(2017 ed.)

HELP?
The Odoo framework includes a lot of
mechanisms to avoid mistakes.
But knowledge and mindset are key!

A1. Injection
Untrusted data interpreted as code

Hello, my name is
Robert’); DROP TABLE students;--
👱
https://xkcd.com/327

# SQL Injection (simplified)
def _get_partner_match(self, name, partner_type='is_customer'):
query = f"""SELECT id FROM res_partner
WHERE name ILIKE '%{name}%'
AND {partner_type} IS TRUE"""
self._cr.execute(query)
return self._cr.fetchall()

# SQL Injection (simplified) - 2
WHERE name ILIKE '%%%(name)s%%'
AND {partner_type} IS TRUE """
self._cr.execute(query, (name,))

# SQL Injection (simplified) - 3 - Safe!
if partner_type not in ('is_customer', 'is_supplier'):
raise ValueError()
WHERE name ILIKE '%%%(name)s%%'
AND {partner_type} IS TRUE """
self._cr.execute(query, (name,))

# Best option when possible: use the ORM
return self.search([('name', 'ilike', name),
(partner_type, '=', True)])

A2. Broken Auth
Authentication / session management
logic error

A2. Broken Auth
Bad news: there are lots of moving
parts, it’s hard to get this right.
Good news: the system does all of
that for you.
Be very careful if you try to modify or
extend the authentication and session
mechanisms.
➔ Securing session cookie
➔ Preventing session injection
➔ Rotating session after login/logout
➔ Storing passwords securely
➔ Verifying passwords securely
➔ Preventing brute-force attacks
➔ Security of password reset flow
➔ Rejecting deactivated users
➔ Instant lockout after account change
➔ Integration with third-party auths
➔ Two-factor flow, token security
➔ ...
and much more...
What’s so hard?

A3. Sensitive Data
Exposure
Insufficient protection for sensitive data

TODO
# Sensitive data exposed
class Employee(models.Model):
_inherit = "hr.employee"
ssnid = fields.Char("Social Security Number")
passport = fields.Char("Passport No")
# Sensitive data protected
class Employee(models.Model):
_inherit = "hr.employee"
ssnid = fields.Char("Social Security Number", groups="hr.group_officer")
passport = fields.Char("Passport No", groups="hr.group_officer")

A4. XML External
Entities
Unsafe parsing of untrusted XML data

XXE: use safe XML parsers
Recursion bombs
<!DOCTYPE xmlbomb [
<!ENTITY a "1234567890" >
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;">
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;">
<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;">
]>
<bomb>&d;</bomb>
Local File Inclusion
<!DOCTYPE external [
<!ENTITY ee SYSTEM "file:///etc/password">
]>
<root>&ee;</root>
The framework protects you.
Use lxml.etree:
etree.fromstring(xml_data)
lxml.etree is configured to reject:
+ recursive entities
+ network resolution
+ local entity resolution
Or have a look at defusedxml.

A5. Broken Access
Control
Incorrect validation of user permissions

# Missing/Incorrect ACLs
➔ The most common mistake!
➔ New models require:
+ ACLs (CRUD)
+ Record rules (CRUD filter)
+ Field-level permission
Bad ACLs examples
# Full Access to everyone - incorrect
id,model_id,group_id,p_read,p_write,p_create,p_unlink
access_my_model,model_my_model, ,1,1,1,1
# Full Access to employees - probably incorrect
access_my_model,model_my_model,base.group_user,1,1,1,1
Normal ACLs examples
# Employee = Read | Manager = Full
access_my_model,model_my_model,base.group_user,1,0,0,0
access_my_model,model_my_model,base.group_manager,1,1,1,1
As of V14, also for TransientModel.

# Incorrect sudo() or permission test
# Portal controller route
@route(['/sale/<int:order_id>/approve'], type='json', methods=['POST'], auth='public')
def order_approve(self, order_id, **post):
order = self.env['sale.order'].sudo().browse(order_id)
order.action_approve()
user
public
none
converters type methods
auth

# Portal controller route - bad!
@route(['/sale/<int:order_id>/approve'], type='json', methods=['POST'], auth='public')
def order_approve(self, order_id, **post):

# Portal controller route - corrected
@route(['/sale/<int:order_id>/approve'], type='http', methods=['POST'], auth='public')
def order_approve(self, order_id, token, **post):
if not tools.consteq(order.access_token, token):
raise AccessDenied()

def get_notifications(self, partner_id):
# direct SQL for complex query performance
query = """
SELECT DISTINCT m.id, m.author_id, m.message_type
FROM mail_message
LEFT JOIN mail_message_res_partner_rel
LEFT JOIN mail_message_res_partner_needaction_rel needaction
(...)
WHERE partner_id = %s
"""
self._cr.execute(query, (partner_id,))

def _get_notifications(self, partner_id):
self.check_access_rights('read')
# direct SQL for complex query performance
query = """
SELECT DISTINCT m.id, m.author_id, m.message_type
FROM mail_message
LEFT JOIN mail_message_res_partner_rel
LEFT JOIN mail_message_res_partner_needaction_rel needaction
(...)
WHERE partner_id = %s
"""
self._cr.execute(query, (partner_id,))

odoo.com/documentatio
n ● PostgreSQL security (no super user)
● Web server + TLS
● Database manager security
● Separate Production / Staging / Dev
● No demo data on Production
● SSH security
● Rate-limiting and brute-force
protections
And more...
Deployment Checklist

A7. XSS
Untrusted data interpreted as code… again!

Stored / Reflected XSS
➔ Untrusted HTML content in the database,
in some text/char field
➔ Victim is tricked into viewing it
➔ When displayed in the browser, it
becomes executable
@route('/index', type='http', auth="none")
def index(self)
session_info = {
'user_name': request.env.user.name,
}
response = request.render(
'web.webclient_bootstrap',
{session_info: session_info}
)
return response
<template id="web.webclient_bootstrap">
<t t-call="web.layout">
<t t-set="head_web">
<script type="text/javascript">
odoo.session_info =
<t t-raw="str(session_info)"/>;
</script>
</t>
</t>
</template>
Name:
</script><script>alert(document.cookie);//
odoo.session_info = {'user_name':
"</script><script>alert(document.cookie);//"};
</script>

Stored / Reflected XSS
➔ Untrusted HTML content in the database,
in some text/char field
➔ Victim is tricked into viewing it
➔ When displayed in the browser, it
does not become executable
@route('/index', type='http', auth="none")
def index(self)
session_info = {
'user_name': request.env.user.name,
}
response = request.render(
'web.webclient_bootstrap',
{session_info: session_info}
)
return response
<template id="web.webclient_bootstrap">
<t t-call="web.layout">
<t t-set="head_web">
odoo.session_info =
<t t-esc="str(session_info)"/>;
</script>
</t>
</t>
</template>
Name:
</script><script>alert(document.cookie);//
odoo.session_info = {'user_name':
'</script><script>alert(document.cookie);//'};
</script>

DOM-based XSS
Barrier broken between text and markup
// Text manipulation
elem.textContent = "...";
$elem.text(“..”);
// Markup manipulation
elem.innerHTML = ""...";
$elem.html(...);
Do not mix them.
/**
* Adds the product description based on attribute values
*
* @private
*/
_postProcessContent: function ($modalContent) {
var $productDescription = $modalContent
.find('.main_product');
var desc = $productDescription.html();
$.each(this.rootProduct.attribute_values, function () {
desc += ('<br/>' + this.attribute_value_name
+ ':' + this.custom_value);
});
$productDescription.html(desc);
return $modalContent;
},

DOM XSS
$elem.html(...);
Do not mix.
Maybe convert.
markup = _.escape(text);
/**
*
* @private
*/
var desc = $productDescription.html();
desc += ('<br/>' + _.escape(this.attribute_value_name)
+ ':' + _.escape(this.custom_value));
});
$productDescription.html(desc);
},

DOM XSS
$elem.html(...);
Do not mix.
Maybe convert.
But, really: do not mix.
/**
*
* @private
*/
var $customValuesDescription = $('<div>');
$customValuesDescription.append($('<div>', {
text: (this.attribute_value_name + ': ' +
this.custom_value);
}));
});
$productDescription.append($customValuesDescription);
},

STRING
FORMATTING
“<b>” + name
`<b>${name}</b>`
UNSAFE
DESERIALIZATION
eval()
VULNERABLE
TEMPLATES
t-raw
VULNERABLE LIB
$.popover()
FILES
.svg,.html
LINKS
javascript:
XSS VECTORS ARE EVERYWHERE

The framework uses safe serialization:
● RPC protocols (JSON-RPC, XML-RPC)
● Cache
● Cookies, sessions
● Signed structured data
So watch out:
● Don’t use pickle, use JSON!
● Don’t parse data with eval()
● Sign structured data

@classmethod
def _login(cls, db, login, password, user_agent_env):
ip = request.httprequest.environ['REMOTE_ADDR'] if request else 'n/a'
try:
# do login ...
except AccessDenied:
_logger.info("Login failed for db:%s login:%s from %s", db, login, ip)
raise
_logger.info("Login successful for db:%s login:%s from %s", db, login, ip)
_logger.info(
"Password reset attempt for <%s> by user <%s> from %s",
login, request.env.user.login, request.httprequest.remote_addr)
odoo.addons.base.models.res_users: Login failed for db:production login:mike@ex.com from 16.12.19.27
odoo.addons.base.models.res_users: Login successful for db:production login:mike@ex.com from 14.16.23.56
odoo.addons.auth_signup...main: Password reset attempt for <lenny@ex.com> by user <public> from 85.133.187.167

def assert_log_admin_access(method):
"""Decorator checking that the calling user is an administrator, and logging the call.
Raise an AccessDenied error if the user does not have administrator privileges
"""
def check_and_log(method, self, *args, **kwargs):
user = self.env.user
origin = request.httprequest.remote_addr if request else 'n/a'
log_data = (method.__name__, self.sudo().mapped('name'), user.login, user.id, origin)
if not self.env.is_admin():
_logger.warning('DENY access to module.%s on %s to user %s ID #%s via %s', *log_data)
raise AccessDenied()
_logger.info('ALLOW access to module.%s on %s to user %s #%s via %s', *log_data)
return method(self, *args, **kwargs)
return decorator(check_and_log, method)
odoo...ir_module: ALLOW access to module.button_immediate_uninstall on ['crm'] to user bart@ex.com #2 via 2.5.15.214
odoo...ir_module: ALLOW access to module.button_uninstall on ['crm'] to user bart@ex.com #2 via 2.5.15.214
odoo...ir_module: ALLOW access to module.module_uninstall on ['sale_crm', 'crm'] to user __system__ #1 via 2.5.15.214

CODE
REVIEW
CHECKLIST
01
CONTROL
ACCESS
Groups, ACLs, Rules
and Fields
02
VERIFY
PERMISSIONS
sudo(), controllers,
private methods
03
CHECK TEMPLATES
t-raw, untrusted
input escaped
04
SAFE EVAL
Eval only trusted input,
iff impossible to avoid
BLOCK INJECTIONS
05 Double-check raw SQL,
shell commands, etc.
XSS PREVENTION
06 DOM, Stored,
Reflected, look for the
signs!

Choose someone who
improves the knowledge
and mindset of the team.

Security: Odoo Code Hardening

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Security: Odoo Code Hardening

Ähnlich wie Security: Odoo Code Hardening (20)

Mehr von Odoo

Mehr von Odoo (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Security: Odoo Code Hardening

Hinweis der Redaktion