Recent core vulnerability policies and file name changes

timclifford · Sep 18, 2020 · 3bef4ce · 3bef4ce
1 parent b76b745
commit 3bef4ce
Show file tree

Hide file tree

Showing 13 changed files with 199 additions and 14 deletions.
diff --git a/Policies/d7-SA-CORE-2020-007.policy.yml b/Policies/d7-SA-CORE-2020-007.policy.yml
@@ -0,0 +1,18 @@
+title: "SA-CORE-2020-007"
+class: \Drutiny\algm\Audit\ModuleVersion
+name: Drupal-7:SA-CORE-2020-007
+tags:
+  - Drupal 7
+  - Security
+description: |
+  Runs tests to check for SA-CORE-2020-007 (https://www.drupal.org/sa-core-2020-007).
+
+  The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.
+remediation: Upgrade Drupal 7 to 7.73
+success: This site is secure from the vulnerabilities in SA-CORE-2020-007
+failure: This sites current Drupal version {{current_version}} is not secure against SA-CORE-2020-007.
+parameters:
+  module:
+    default: system
+  version:
+    default: 7.73
diff --git a/Policies/d8-SA-CORE-2020-009.policy.yml b/Policies/d8-SA-CORE-2020-009.policy.yml
@@ -0,0 +1,20 @@
+title: "SA-CORE-2020-009"
+class: \Drutiny\algm\Audit\D8_SA_CORE_2020_009
+name: Drupal-8:SA-CORE-2020-009
+tags:
+  - Drupal 8
+  - Security
+description: |
+  Runs tests to check for SA-CORE-2020-0079 (https://www.drupal.org/sa-core-2020-009).
+
+  Core Drupal 8 reflected XSS vulnerability.
+remediation: |
+  If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.
+  If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6.
+success: This site is secure from the vulnerabilities in SA-CORE-2020-009
+failure: This sites current Drupal version {{current_version}} is not secure against SA-CORE-2020-009.
+parameters:
+  module:
+    default: system
+  version:
+    default: 8.9.6
diff --git a/Policies/d8_security_module_updates.policy.yml b/Policies/d8_security_module_updates.policy.yml
@@ -1,4 +1,4 @@
-title: "Drupal 8/9 Security Module Updates policy"
+title: "Drupal 8/9 Security Module Updates"
 class: \Drutiny\algm\Audit\D8SecurityModuleUpdates
 name: algm:D8SecurityModuleUpdates
 tags:

diff --git a/Policies/health_check.policy.yml b/Policies/health_check.policy.yml
@@ -1,4 +1,4 @@
-title: "Health Check Policy"
+title: "Health Check"
 class: \Drutiny\algm\Audit\HealthCheck
 name: algm:HealthCheck
 description: |

diff --git a/Policies/D9_module_updates_scan.policy.yml → Policies/module_updates_status.policy.yml b/Policies/D9_module_updates_scan.policy.yml → Policies/module_updates_status.policy.yml
@@ -1,7 +1,8 @@
-title: "Drupal 9 Module Updates policy"
-class: \Drutiny\algm\Audit\D9ModuleUpdateStatus
-name: algm:D9ModuleUpdates
+title: "Drupal 8/9 Module Updates"
+class: \Drutiny\algm\Audit\ModuleUpdateStatus
+name: algm:ModuleUpdates
 tags:
+  - Drupal 8
   - Drupal 9
   - Module Updates
   - Security

diff --git a/Policies/pagespeedinsightsscore.policy.yml b/Policies/pagespeedinsightsscore.policy.yml
@@ -1,6 +1,6 @@
 title: "Page Speed Insights policy"
 class: \Drutiny\algm\Audit\PageSpeedInsightsScore
-name: ALGMPerformance:PSI
+name: algm:Performance:PSI
 description: |
   Runs PSI against LAGOON_ROUTE
 success: |

diff --git a/Profiles/algm_d7_sla_site.profile.yml b/Profiles/algm_d7_sla_site.profile.yml
@@ -6,11 +6,11 @@ policies:
       { severity: high }
     'algm:DrushStatus':
       { severity: normal }
-    'algm:D7SecurityModuleUpdates':
-      { severity: high }
     'algm:FileSystemAnalysis':
       { severity: normal }
-    # D7
+    # General
+    'Drupal:moduleUpdates': { severity: normal }
+    # Drupal 7
     'Drupal-7:NoDuplicateModules': { severity: normal }
     'Drupal-7:OverlayModuleDisabled': { severity: normal }
     'Drupal-7:BlackListPermissions': { severity: normal }
@@ -34,6 +34,7 @@ policies:
     'Database:Size': { severity: normal }
     # Security
     'Drupal-7:User1LockDown': { severity: normal }
+    'algm:D7SecurityModuleUpdates': { severity: high }
     'fs:SensitivePublicFiles':
       {
         severity: high,

diff --git a/Profiles/ALGMPerformance.profile.yml → Profiles/algm_performance.profile.yml b/Profiles/ALGMPerformance.profile.yml → Profiles/algm_performance.profile.yml
@@ -1,6 +1,6 @@
 title: 'ALGM Performance'
 description: 'Site Performance Audit for ALGM.'
 policies:
-    'ALGMPerformance:PSI': { }
+    'algm:Performance:PSI': { }
 format:
     html: { template: page, content: [{ heading: Purpose, body: "This report is designed to provide some feedback on the overall health of\nthe web application by performing some deep dive analysis. The items\nsurfaced in the report can help improve performance and stability.\n" }, { heading: 'Reporting period', body: "Period | Date time\n------ | ---------\nStart | {{reporting_period_start}}\nEnd | {{reporting_period_end}}\n" }, { heading: Recommendations, body: "<ul>\n{{# remediations }}\n  <li>{{{ . }}}</li>\n{{/ remediations }}\n</ul>\n" }, { heading: Findings, body: "{{{ severity_stats }}}\n### Issue Summary\n{{{ summary_table }}}\n\n{{#failures}}\n  ### Issues\n  {{# output_failure }}\n    {{{.}}}\n  {{/ output_failure }}\n{{/failures}}\n\n{{#warnings}}\n  ### Warnings\n  {{# output_warning }}\n    {{{.}}}\n  {{/ output_warning }}\n{{/warnings}}\n" }, { heading: Appendix, body: "{{#notices}}\n  ### Appendix - Analysis\n\n  The various appendices provides more detailed data regarding the health of\n  the site.\n\n  {{# output_notice }}\n    {{{.}}}\n  {{/ output_notice }}\n{{/notices}}\n\n{{#errors}}\n  ### Appendix - Errors\n\n  During the production of this report, not all report policies were able to\n  be carried out due to errors encounted.\n\n  {{#output_error}}\n    {{{.}}}\n  {{/output_error}}\n{{/errors}}\n\n### Appendix - Summary\nThe below table describes all audit and analysis work completed for the\nproduction of this report and their associated outcomes.\n\n{{{ appendix_table }}}\n\n{{#passes}}\n### Appendix - Successful Assessments\n{{# output_success }}\n  {{{.}}}\n{{/ output_success }}\n{{/passes}}\n" }] }
diff --git a/Profiles/algm_sla_site.profile.yml b/Profiles/algm_sla_site.profile.yml
@@ -6,7 +6,7 @@ policies:
       { severity: high }
     'algm:DrushStatus':
       { severity: normal }
-    'algm:D9ModuleUpdates':
+    'algm:ModuleUpdates':
       { severity: high }
     'algm:D8SecurityModuleUpdates':
       { severity: high }

diff --git a/src/Audit/D8_SA_CORE_2020_009.php b/src/Audit/D8_SA_CORE_2020_009.php
@@ -0,0 +1,83 @@
+<?php
+
+namespace Drutiny\algm\Audit;
+
+use Drutiny\Audit;
+use Drutiny\Sandbox\Sandbox;
+use Drutiny\Annotation\Param;
+use Exception;
+
+/**
+ * Check the version of Drupal project in a site.
+ *
+ * @Param(
+ *  name = "module",
+ *  description = "The module to version information for",
+ *  type = "string"
+ * )
+ * @Param(
+ *  name = "version",
+ *  description = "The static version to check against.",
+ *  type = "string"
+ * )
+ * @Param(
+ *  name = "comparator",
+ *  description = "How to compare the version (greaterThan, greaterThanOrEqualTo, lessThan etc. See https://github.com/composer/semver)",
+ *  type = "string",
+ *  default = "greaterThanOrEqualTo"
+ * )
+ */
+class D8_SA_CORE_2020_009 extends Audit {
+
+  public function audit(Sandbox $sandbox)
+  {
+    $module = $sandbox->getParameter('module');
+    $version = $sandbox->getParameter('version');
+    $comparator_method = $sandbox->getParameter('comparator');
+
+    // Check for presence of patch
+    try {
+      $find_patch = trim($sandbox->exec('find . -name FormBuilder.php -exec grep "filterBadProtocol" {} \;'));
+    }
+    catch (Exception $e) {
+      throw new \Exception("Failed to run find");
+      return Audit::ERROR;
+    }
+
+    if ($find_patch !== '') {
+      return Audit::SUCCESS;
+    }
+
+    if (!method_exists("Composer\Semver\Comparator", $comparator_method)) {
+      throw new \Exception("Comparator method not available: $comparator_method");
+    }
+
+    try {
+      $info = $sandbox->drush(['format' => 'json'])->pmList();
+    }
+    catch (Exception $e) {
+      throw new \Exception("Drush command failed");
+      return Audit::ERROR;
+    }
+
+
+    if (!isset($info[$module])) {
+      return Audit::NOT_APPLICABLE;
+    }
+
+    $current_version = strtolower($info[$module]['version']);
+    $sandbox->setParameter('current_version', $current_version);
+
+    if (substr($current_version, 0, 3 ) === "8.8") {
+      return call_user_func("Composer\Semver\Comparator::$comparator_method", $current_version, "8.8.10");
+    }
+
+    if (substr($current_version, 0, 3 ) === "8.9") {
+      return call_user_func("Composer\Semver\Comparator::$comparator_method", $current_version, "8.9.6");
+    }
+
+    $sandbox->logger()->info("$comparator_method($current_version, $version)");
+
+    return call_user_func("Composer\Semver\Comparator::$comparator_method", $current_version, $version);
+  }
+}
diff --git a/src/Audit/D9ModuleUpdateStatus.php → src/Audit/ModuleUpdateStatus.php b/src/Audit/D9ModuleUpdateStatus.php → src/Audit/ModuleUpdateStatus.php
@@ -8,14 +8,14 @@
 use Drutiny\algm\Utils\MarkdownTableGenerator;
 
 /**
- * Look for contrib modules with available updates.
+ * Uses composer to look for contrib modules with available updates.
  * @Token(
  *  name = "updates",
  *  type = "array",
  *  description = "Description of module updates available."
  * )
  */
-class D9ModuleUpdateStatus extends Audit {
+class ModuleUpdateStatus extends Audit {
 
   /**
    * @inheritdoc

diff --git a/src/Audit/ModuleVersion.php b/src/Audit/ModuleVersion.php
@@ -0,0 +1,62 @@
+<?php
+
+namespace Drutiny\algm\Audit;
+
+use Drutiny\Audit;
+use Drutiny\Sandbox\Sandbox;
+use Drutiny\Annotation\Param;
+use Exception;
+
+/**
+ * Check the version of Drupal core or a module in a site.
+ *
+ * @Param(
+ *  name = "module",
+ *  description = "The module to version information for",
+ *  type = "string"
+ * )
+ * @Param(
+ *  name = "version",
+ *  description = "The static version to check against.",
+ *  type = "string"
+ * )
+ * @Param(
+ *  name = "comparator",
+ *  description = "How to compare the version (greaterThan, greaterThanOrEqualTo, lessThan etc. See https://github.com/composer/semver)",
+ *  type = "string",
+ *  default = "greaterThanOrEqualTo"
+ * )
+ */
+class ModuleVersion extends Audit {
+
+  public function audit(Sandbox $sandbox)
+  {
+    $module = $sandbox->getParameter('module');
+    $version = $sandbox->getParameter('version');
+    $comparator_method = $sandbox->getParameter('comparator');
+
+    if (!method_exists("Composer\Semver\Comparator", $comparator_method)) {
+      throw new \Exception("Comparator method not available: $comparator_method");
+    }
+
+    try {
+      $info = $sandbox->drush(['format' => 'json'])->pmList();
+    }
+    catch (Exception $e) {
+      throw new \Exception("Drush command failed: " . $e);
+      return Audit::ERROR;
+    }
+
+
+    if (!isset($info[$module])) {
+      return Audit::NOT_APPLICABLE;
+    }
+
+    $current_version = strtolower($info[$module]['version']);
+    $sandbox->setParameter('current_version', $current_version);
+
+    $sandbox->logger()->info("$comparator_method($current_version, $version)");
+
+    return call_user_func("Composer\Semver\Comparator::$comparator_method", $current_version, $version);
+  }
+}
diff --git a/tests/src/PageSpeedInsightsScore.php b/tests/src/PageSpeedInsightsScore.php
@@ -23,7 +23,7 @@ public function __construct()
 
   /** @test */
   public function it_should_run_a_psi_scan_against_a_site() {
-    $policy = Policy::load('ALGMPerformance:PSI');
+    $policy = Policy::load('algm:Performance:PSI');
     $sandbox = new Sandbox($this->target, $policy);
 
     $response = $sandbox->run();