Uploaded image for project: 'Moodle Community Sites'
  1. Moodle Community Sites
  2. MDLSITE-3688

Add basic security checks to codechecker/precheck

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: Integration
    • Labels:
      None

      Description

      Just an idea, we could add warnings to the codechecker when some obvious security features are missing, i.e.:

      • defined('MOODLE_INTERNAL') missing
      • MOODLE_INTERNAL not defined and login not required (could be legit, but often not)
      • ...

      I made a quick and dirty script that uses pfff to check for those. There are still quite a lot of false positives but you get the idea.

      #!/bin/bash
       
      DEBUG=
       
      if [[ -n $1 ]]
      then
          FILES="$1"
      else
          FILES=$(find . -iname '*.php' -type f ! -path "./vendor/*" ! -path *codechecker* )
      fi
       
      for F in $FILES
      do
          MOODLEINTERNAL=$(sgrep -e 'defined("MOODLE_INTERNAL")' -oneline $F 2> /dev/null)
          REQUIRECONFIG=$(grep -E "require_once|require" $F | grep 'config\.php')
          REQUIRELOGIN=$(sgrep -e 'require_login(...)' -oneline $F 2> /dev/null)
          REQUIRECOURSELOGIN=$(sgrep -e 'require_course_login(...)' -oneline $F 2> /dev/null)
          ADMINSETUP=$(sgrep -e 'admin_externalpage_setup(...)' -oneline $F 2> /dev/null)
          NOCOOKIES=$(sgrep -e 'define("NO_MOODLE_COOKIES", true)' -oneline $F 2> /dev/null)
          CLISCRIPT=$(sgrep -e 'define("CLI_SCRIPT", true)' -oneline $F 2> /dev/null)
       
          if [[ $DEBUG ]]
          then
              echo "Parsing $F"
              echo "  MOODLEINTERNAL:" $([[ -n $MOODLEINTERNAL ]] && echo 1 || echo 0)
              echo "  REQUIRECONFIG:" $([[ -n $REQUIRECONFIG ]] && echo 1 || echo 0)
              echo "  REQUIREONCECONFIG:" $([[ -n $REQUIREONCECONFIG ]] && echo 1 || echo 0)
              echo "  REQUIRELOGIN:" $([[ -n $REQUIRELOGIN ]] && echo 1 || echo 0)
              echo "  REQUIRECOURSELOGIN:" $([[ -n $REQUIRECOURSELOGIN ]] && echo 1 || echo 0)
              echo "  ADMINSETUP:" $([[ -n $ADMINSETUP ]] && echo 1 || echo 0)
              echo "  NOCOOKIES:" $([[ -n $NOCOOKIES ]] && echo 1 || echo 0)
              echo "  CLISCRIPT:" $([[ -n $CLISCRIPT ]] && echo 1 || echo 0)
          fi
       
          if [[ -z $MOODLEINTERNAL ]] && [[ -z $REQUIRECONFIG ]]
          then
              # No config required, and not moodle_internal check.
              echo "Missing MOODLE_INTERNAL: $F"
       
          elif [[ -n $REQUIRECONFIG ]]
          then
              # Config is included.
       
              if [[ -z $REQUIRELOGIN ]] && [[ -z $REQUIRECOURSELOGIN ]] && [[ -z $ADMINSETUP ]] && [[ -z $NOCOOKIES ]] && [[ -z $CLISCRIPT ]]
              then
                  # require_login() is not present, and it's not an admin page, a no cookie page and not a CLI script.
                  echo "Missing LOGIN: $F"
              fi
          
          fi
      done
      

        Attachments

        1. 01.png
          01.png
          150 kB
        2. 02.png
          02.png
          190 kB

          Activity

            People

            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: