From 3bef4ce41ba6454f9a83c10146a1b7a66a99aa72 Mon Sep 17 00:00:00 2001 From: Tim Clifford Date: Fri, 18 Sep 2020 09:56:58 +0100 Subject: [PATCH] Recent core vulnerability policies and file name changes --- Policies/d7-SA-CORE-2020-007.policy.yml | 18 ++++ Policies/d8-SA-CORE-2020-009.policy.yml | 20 +++++ .../d8_security_module_updates.policy.yml | 2 +- Policies/health_check.policy.yml | 2 +- ...y.yml => module_updates_status.policy.yml} | 7 +- Policies/pagespeedinsightsscore.policy.yml | 2 +- Profiles/algm_d7_sla_site.profile.yml | 7 +- ...ofile.yml => algm_performance.profile.yml} | 2 +- Profiles/algm_sla_site.profile.yml | 2 +- src/Audit/D8_SA_CORE_2020_009.php | 83 +++++++++++++++++++ ...pdateStatus.php => ModuleUpdateStatus.php} | 4 +- src/Audit/ModuleVersion.php | 62 ++++++++++++++ tests/src/PageSpeedInsightsScore.php | 2 +- 13 files changed, 199 insertions(+), 14 deletions(-) create mode 100644 Policies/d7-SA-CORE-2020-007.policy.yml create mode 100644 Policies/d8-SA-CORE-2020-009.policy.yml rename Policies/{D9_module_updates_scan.policy.yml => module_updates_status.policy.yml} (87%) rename Profiles/{ALGMPerformance.profile.yml => algm_performance.profile.yml} (98%) create mode 100644 src/Audit/D8_SA_CORE_2020_009.php rename src/Audit/{D9ModuleUpdateStatus.php => ModuleUpdateStatus.php} (92%) create mode 100644 src/Audit/ModuleVersion.php diff --git a/Policies/d7-SA-CORE-2020-007.policy.yml b/Policies/d7-SA-CORE-2020-007.policy.yml new file mode 100644 index 0000000..5958173 --- /dev/null +++ b/Policies/d7-SA-CORE-2020-007.policy.yml @@ -0,0 +1,18 @@ +title: "SA-CORE-2020-007" +class: \Drutiny\algm\Audit\ModuleVersion +name: Drupal-7:SA-CORE-2020-007 +tags: + - Drupal 7 + - Security +description: | + Runs tests to check for SA-CORE-2020-007 (https://www.drupal.org/sa-core-2020-007). + + The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting. +remediation: Upgrade Drupal 7 to 7.73 +success: This site is secure from the vulnerabilities in SA-CORE-2020-007 +failure: This sites current Drupal version {{current_version}} is not secure against SA-CORE-2020-007. +parameters: + module: + default: system + version: + default: 7.73 \ No newline at end of file diff --git a/Policies/d8-SA-CORE-2020-009.policy.yml b/Policies/d8-SA-CORE-2020-009.policy.yml new file mode 100644 index 0000000..0bb7fe2 --- /dev/null +++ b/Policies/d8-SA-CORE-2020-009.policy.yml @@ -0,0 +1,20 @@ +title: "SA-CORE-2020-009" +class: \Drutiny\algm\Audit\D8_SA_CORE_2020_009 +name: Drupal-8:SA-CORE-2020-009 +tags: + - Drupal 8 + - Security +description: | + Runs tests to check for SA-CORE-2020-0079 (https://www.drupal.org/sa-core-2020-009). + + Core Drupal 8 reflected XSS vulnerability. +remediation: | + If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10. + If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6. +success: This site is secure from the vulnerabilities in SA-CORE-2020-009 +failure: This sites current Drupal version {{current_version}} is not secure against SA-CORE-2020-009. +parameters: + module: + default: system + version: + default: 8.9.6 \ No newline at end of file diff --git a/Policies/d8_security_module_updates.policy.yml b/Policies/d8_security_module_updates.policy.yml index 44847c2..38b0449 100644 --- a/Policies/d8_security_module_updates.policy.yml +++ b/Policies/d8_security_module_updates.policy.yml @@ -1,4 +1,4 @@ -title: "Drupal 8/9 Security Module Updates policy" +title: "Drupal 8/9 Security Module Updates" class: \Drutiny\algm\Audit\D8SecurityModuleUpdates name: algm:D8SecurityModuleUpdates tags: diff --git a/Policies/health_check.policy.yml b/Policies/health_check.policy.yml index 1872921..7aa3158 100644 --- a/Policies/health_check.policy.yml +++ b/Policies/health_check.policy.yml @@ -1,4 +1,4 @@ -title: "Health Check Policy" +title: "Health Check" class: \Drutiny\algm\Audit\HealthCheck name: algm:HealthCheck description: | diff --git a/Policies/D9_module_updates_scan.policy.yml b/Policies/module_updates_status.policy.yml similarity index 87% rename from Policies/D9_module_updates_scan.policy.yml rename to Policies/module_updates_status.policy.yml index 6325f8f..cff7134 100644 --- a/Policies/D9_module_updates_scan.policy.yml +++ b/Policies/module_updates_status.policy.yml @@ -1,7 +1,8 @@ -title: "Drupal 9 Module Updates policy" -class: \Drutiny\algm\Audit\D9ModuleUpdateStatus -name: algm:D9ModuleUpdates +title: "Drupal 8/9 Module Updates" +class: \Drutiny\algm\Audit\ModuleUpdateStatus +name: algm:ModuleUpdates tags: + - Drupal 8 - Drupal 9 - Module Updates - Security diff --git a/Policies/pagespeedinsightsscore.policy.yml b/Policies/pagespeedinsightsscore.policy.yml index 82bee42..c85589f 100644 --- a/Policies/pagespeedinsightsscore.policy.yml +++ b/Policies/pagespeedinsightsscore.policy.yml @@ -1,6 +1,6 @@ title: "Page Speed Insights policy" class: \Drutiny\algm\Audit\PageSpeedInsightsScore -name: ALGMPerformance:PSI +name: algm:Performance:PSI description: | Runs PSI against LAGOON_ROUTE success: | diff --git a/Profiles/algm_d7_sla_site.profile.yml b/Profiles/algm_d7_sla_site.profile.yml index 1195d2f..0922f3e 100644 --- a/Profiles/algm_d7_sla_site.profile.yml +++ b/Profiles/algm_d7_sla_site.profile.yml @@ -6,11 +6,11 @@ policies: { severity: high } 'algm:DrushStatus': { severity: normal } - 'algm:D7SecurityModuleUpdates': - { severity: high } 'algm:FileSystemAnalysis': { severity: normal } - # D7 + # General + 'Drupal:moduleUpdates': { severity: normal } + # Drupal 7 'Drupal-7:NoDuplicateModules': { severity: normal } 'Drupal-7:OverlayModuleDisabled': { severity: normal } 'Drupal-7:BlackListPermissions': { severity: normal } @@ -34,6 +34,7 @@ policies: 'Database:Size': { severity: normal } # Security 'Drupal-7:User1LockDown': { severity: normal } + 'algm:D7SecurityModuleUpdates': { severity: high } 'fs:SensitivePublicFiles': { severity: high, diff --git a/Profiles/ALGMPerformance.profile.yml b/Profiles/algm_performance.profile.yml similarity index 98% rename from Profiles/ALGMPerformance.profile.yml rename to Profiles/algm_performance.profile.yml index 9f9684e..ca8d0a0 100644 --- a/Profiles/ALGMPerformance.profile.yml +++ b/Profiles/algm_performance.profile.yml @@ -1,6 +1,6 @@ title: 'ALGM Performance' description: 'Site Performance Audit for ALGM.' policies: - 'ALGMPerformance:PSI': { } + 'algm:Performance:PSI': { } format: html: { template: page, content: [{ heading: Purpose, body: "This report is designed to provide some feedback on the overall health of\nthe web application by performing some deep dive analysis. The items\nsurfaced in the report can help improve performance and stability.\n" }, { heading: 'Reporting period', body: "Period | Date time\n------ | ---------\nStart | {{reporting_period_start}}\nEnd | {{reporting_period_end}}\n" }, { heading: Recommendations, body: "\n" }, { heading: Findings, body: "{{{ severity_stats }}}\n### Issue Summary\n{{{ summary_table }}}\n\n{{#failures}}\n ### Issues\n {{# output_failure }}\n {{{.}}}\n {{/ output_failure }}\n{{/failures}}\n\n{{#warnings}}\n ### Warnings\n {{# output_warning }}\n {{{.}}}\n {{/ output_warning }}\n{{/warnings}}\n" }, { heading: Appendix, body: "{{#notices}}\n ### Appendix - Analysis\n\n The various appendices provides more detailed data regarding the health of\n the site.\n\n {{# output_notice }}\n {{{.}}}\n {{/ output_notice }}\n{{/notices}}\n\n{{#errors}}\n ### Appendix - Errors\n\n During the production of this report, not all report policies were able to\n be carried out due to errors encounted.\n\n {{#output_error}}\n {{{.}}}\n {{/output_error}}\n{{/errors}}\n\n### Appendix - Summary\nThe below table describes all audit and analysis work completed for the\nproduction of this report and their associated outcomes.\n\n{{{ appendix_table }}}\n\n{{#passes}}\n### Appendix - Successful Assessments\n{{# output_success }}\n {{{.}}}\n{{/ output_success }}\n{{/passes}}\n" }] } diff --git a/Profiles/algm_sla_site.profile.yml b/Profiles/algm_sla_site.profile.yml index ac18861..4581d39 100644 --- a/Profiles/algm_sla_site.profile.yml +++ b/Profiles/algm_sla_site.profile.yml @@ -6,7 +6,7 @@ policies: { severity: high } 'algm:DrushStatus': { severity: normal } - 'algm:D9ModuleUpdates': + 'algm:ModuleUpdates': { severity: high } 'algm:D8SecurityModuleUpdates': { severity: high } diff --git a/src/Audit/D8_SA_CORE_2020_009.php b/src/Audit/D8_SA_CORE_2020_009.php new file mode 100644 index 0000000..174ab1b --- /dev/null +++ b/src/Audit/D8_SA_CORE_2020_009.php @@ -0,0 +1,83 @@ +getParameter('module'); + $version = $sandbox->getParameter('version'); + $comparator_method = $sandbox->getParameter('comparator'); + + // Check for presence of patch + try { + $find_patch = trim($sandbox->exec('find . -name FormBuilder.php -exec grep "filterBadProtocol" {} \;')); + } + catch (Exception $e) { + throw new \Exception("Failed to run find"); + return Audit::ERROR; + } + + if ($find_patch !== '') { + return Audit::SUCCESS; + } + + if (!method_exists("Composer\Semver\Comparator", $comparator_method)) { + throw new \Exception("Comparator method not available: $comparator_method"); + } + + try { + $info = $sandbox->drush(['format' => 'json'])->pmList(); + } + catch (Exception $e) { + throw new \Exception("Drush command failed"); + return Audit::ERROR; + } + + + if (!isset($info[$module])) { + return Audit::NOT_APPLICABLE; + } + + $current_version = strtolower($info[$module]['version']); + $sandbox->setParameter('current_version', $current_version); + + if (substr($current_version, 0, 3 ) === "8.8") { + return call_user_func("Composer\Semver\Comparator::$comparator_method", $current_version, "8.8.10"); + } + + if (substr($current_version, 0, 3 ) === "8.9") { + return call_user_func("Composer\Semver\Comparator::$comparator_method", $current_version, "8.9.6"); + } + + $sandbox->logger()->info("$comparator_method($current_version, $version)"); + + return call_user_func("Composer\Semver\Comparator::$comparator_method", $current_version, $version); + } +} \ No newline at end of file diff --git a/src/Audit/D9ModuleUpdateStatus.php b/src/Audit/ModuleUpdateStatus.php similarity index 92% rename from src/Audit/D9ModuleUpdateStatus.php rename to src/Audit/ModuleUpdateStatus.php index a12fe4f..0f2a416 100644 --- a/src/Audit/D9ModuleUpdateStatus.php +++ b/src/Audit/ModuleUpdateStatus.php @@ -8,14 +8,14 @@ use Drutiny\algm\Utils\MarkdownTableGenerator; /** - * Look for contrib modules with available updates. + * Uses composer to look for contrib modules with available updates. * @Token( * name = "updates", * type = "array", * description = "Description of module updates available." * ) */ -class D9ModuleUpdateStatus extends Audit { +class ModuleUpdateStatus extends Audit { /** * @inheritdoc diff --git a/src/Audit/ModuleVersion.php b/src/Audit/ModuleVersion.php new file mode 100644 index 0000000..4084bbb --- /dev/null +++ b/src/Audit/ModuleVersion.php @@ -0,0 +1,62 @@ +getParameter('module'); + $version = $sandbox->getParameter('version'); + $comparator_method = $sandbox->getParameter('comparator'); + + if (!method_exists("Composer\Semver\Comparator", $comparator_method)) { + throw new \Exception("Comparator method not available: $comparator_method"); + } + + try { + $info = $sandbox->drush(['format' => 'json'])->pmList(); + } + catch (Exception $e) { + throw new \Exception("Drush command failed: " . $e); + return Audit::ERROR; + } + + + if (!isset($info[$module])) { + return Audit::NOT_APPLICABLE; + } + + $current_version = strtolower($info[$module]['version']); + $sandbox->setParameter('current_version', $current_version); + + $sandbox->logger()->info("$comparator_method($current_version, $version)"); + + return call_user_func("Composer\Semver\Comparator::$comparator_method", $current_version, $version); + } +} \ No newline at end of file diff --git a/tests/src/PageSpeedInsightsScore.php b/tests/src/PageSpeedInsightsScore.php index 80a9047..7e2b5ce 100644 --- a/tests/src/PageSpeedInsightsScore.php +++ b/tests/src/PageSpeedInsightsScore.php @@ -23,7 +23,7 @@ public function __construct() /** @test */ public function it_should_run_a_psi_scan_against_a_site() { - $policy = Policy::load('ALGMPerformance:PSI'); + $policy = Policy::load('algm:Performance:PSI'); $sandbox = new Sandbox($this->target, $policy); $response = $sandbox->run();