How to Break Odoo's Security - Or How to Prevent It

Odoo Experience 2018 / Developers

294 views
0 Likes
0 0

Auf Sozialen Netzwerken teilen

Link teilen

Use permanent link to share in social media

Mit einem Freund teilen

Bitte Anmelden to send this presentation by email!

Embed in your website

Select page to start with

14. Bobby Tables...

12. Breaks security? (1)

16. Breaks security? (3)

18. Breaks security? (3)

19. Breaks security? (4)

20. Breaks security? (4)

21. Breaks security? (4)

11. So, how do we break in?

13. Breaks security. (1) SQL Injection!

24. Breaks security? (5) Safe domain combination

17. Breaks security? (3) ACCESS CONTROL!

25. There's more... https://www.odoo.com/r/h3s https://www.odoo.com/r/dbN

15. Breaks security? (2) NOPE, but close! Ugly but not injectable

22. Breaks security? (4) ACCESS CONTROL! Accepts arbitrary fields, not just those in the form: unsafe sudo !!

1. How to Break Odoo's Security Olivier DONY • Platform & Security (or how to prevent it :-)) EXPERIENCE 2018 security@odoo.com - @odony

23. Breaks security? (5) DATA LEAK! Unsafe domain concat Could receive partial domain: ['|',('body','ilike','password'),'&'] Result : ['|',('body','ilike','password'), '&',('model','=','sale.order'), ('res_id','=',res_id)]

3. THE SECURITY MODEL Business Data DATA ACCESS LAYER ACCESS CONTROL Groups ACLs Rules APPS

27. Thank you. #odooexperience Security concern? ➢ security@odoo.com EXPERIENCE 2018 Photos credits: https://www.flickr.com/photos/129153735@N02/ https://www.flickr.com/photos/fallentomato/ https://www.flickr.com/photos/popatito_feo/ https://www.flickr.com/photos/medevac71/

6. data Multi-Level Access Control GroupA GroupB User ir.model.access (groups) ir.rule (groups) ir.rule (global) Per-field @groups

2. Odoo Security Team ★ Audit / Review source code ★ Analyze customer audits ★ Raise awareness ★ Monitor security@odoo.com ★ Responsible Disclosure Process ★ Security Advisories odoo.com/security-report ★ Now an Official CVE Numbering Authority (CNA)!

4. GroupA GroupB User Multi-Level Access Control data User wants to access data ir.model.access (groups) ir.rule (groups) ir.rule (global) Per-field @groups

26. Merge Security Checklist New fields/models? -> ACLs to add? Sensitive fields? New methods? -> Private by default? sudo ? -> Double-check scope - record leaks - args t-raw ? -> Remove it quickly, unless it's a sanitized Html field getattr ? -> Find an alternative, there should be one... (safe)_eval ? -> Triple-check! Not for parsing data, right? raw SQL? -> No % , concat or format() , right? Check again! Anƃ Ƨow ƈƌƚƠinƄ Ɠơƚt ƘoƔ're ƀƍ ƚƭtaƂƤƄr...

5. Multi-Level Access Control User wants to access data GroupA GroupB User data ir.model.access (groups) ir.rule (groups) ir.rule (global) Per-field @groups

10. Common vulnerabilities? Injection (SQL, Code, ...) Access Control (Wrong checks) Broken Auth (Sessions/Cred) Information Leaks Security Misconfiguration Cross-site scripting (XSS) Covered . Cross-Site Request Forgery (CSRF/XSRF)

7. Multi-Level Access Control Each layer controls separately the 4 CRUD operations C reate R ead U pdate D elete GroupA GroupB User data ir.model.access (groups) ir.rule (groups) ir.rule (global) Per-field @groups

8. ir.model.access (groups) ir.rule (groups) ir.rule (global) Per-field @groups Multi-Level Access Control These layers controls separately the 4 CRUD operations C reate R ead U pdate D elete a.k.a CRWU C reate R ead W rite U nlink GroupA GroupB User data

9. Correct ACLs are key for securing an Odoo App fleet / controllers/ data/ models/ views/ security/ ir.model.access.csv security.xml fleet.vehicle fleet.contract <record model=" res.groups " id=" group_manager "> <field name="name"> Fleet Manager </field> </record> model group C R W U fleet.vehicle base.group_user 0 1 0 0 fleet.vehicle fleet.group_manager 1 1 1 1 fleet.contract fleet.group_manager 1 1 1 1 <record model=" ir.rule " id=" rule_fleet_user "> <field name="model_id" ref=" model_fleet_vehicle "/> <field name="groups" eval="[(4, ref(' base.group_user '))]"/> <field name="domain_force"> [('driver_id', '=', user.id)] </field> </record>

Ansichten

  • 294 Total Views
  • 0 Website Views
  • 294 Embedded Views

Aktionen

  • 0 Social Shares
  • 0 Likes
  • 0 Dislikes
  • 0 Comments

Anzahl teilen

  • 0 Facebook
  • 0 Twitter
  • 0 LinkedIn
  • 0 Google+