Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
Similar to Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it) (20)
More from ElínAnna Jónasdóttir
More from ElínAnna Jónasdóttir (20)
Recently uploaded
Recently uploaded (15)
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
- 1. How to Break Odoo's Security Olivier DONY • Platform & Security (or how to prevent it :-)) EXPERIENCE 2018 security@odoo.com - @odony
- 2. Odoo Security Team ★ Audit / Review source code ★ Analyze customer audits ★ Raise awareness ★ Monitor security@odoo.com ★ Responsible Disclosure Process ★ Security Advisories odoo.com/security-report ★ Now an Official CVE Numbering Authority (CNA)!
- 3. THE SECURITY MODEL Business Data DATA ACCESS LAYER ACCESS CONTROL Groups ACLs Rules APPS
- 4. GroupA GroupB User Multi-Level Access Control data User wants to access data ir.model.access (groups) ir.rule (groups) ir.rule (global) Per-field @groups
- 5. Multi-Level Access Control User wants to access data GroupA GroupB User data ir.model.access (groups) ir.rule (groups) ir.rule (global) Per-field @groups
- 7. Multi-Level Access Control Each layer controls separately the 4 CRUD operations Create Read Update Delete GroupA GroupB User data ir.model.access (groups) ir.rule (groups) ir.rule (global) Per-field @groups
- 8. ir.model.access (groups) ir.rule (groups) ir.rule (global) Per-field @groups Multi-Level Access Control These layers controls separately the 4 CRUD operations Create Read Update Delete a.k.a CRWU Create Read Write Unlink GroupA GroupB User data
- 9. Correct ACLs are key for securing an Odoo App fleet/ controllers/ data/ models/ views/ security/ ir.model.access.csv security.xml fleet.vehicle fleet.contract <record model="res.groups" id="group_manager"> <field name="name">Fleet Manager</field> </record> model group C R W U fleet.vehicle base.group_user 0 1 0 0 fleet.vehicle fleet.group_manager 1 1 1 1 fleet.contract fleet.group_manager 1 1 1 1 <record model="ir.rule" id="rule_fleet_user"> <field name="model_id" ref="model_fleet_vehicle"/> <field name="groups" eval="[(4, ref('base.group_user'))]"/> <field name="domain_force"> [('driver_id', '=', user.id)] </field> </record>
- 10. Common vulnerabilities? Injection (SQL, Code, …) Access Control (Wrong checks) Broken Auth (Sessions/Cred) Information Leaks Security Misconfiguration Cross-site scripting (XSS) Covered. Cross-Site Request Forgery (CSRF/XSRF)
- 11. So, how do we break in?
- 13. Breaks security. (1) SQL Injection!
- 14. Bobby Tables...
- 15. Breaks security? (2) NOPE, but close! Ugly but not injectable
- 22. Breaks security? (4) ACCESS CONTROL! Accepts arbitrary fields, not just those in the form: unsafe sudo!!
- 23. Breaks security? (5) DATA LEAK! Unsafe domain concat Could receive partial domain: ['|',('body','ilike','password'),'&'] Result: ['|',('body','ilike','password'), '&',('model','=','sale.order'), ('res_id','=',res_id)]
- 24. Breaks security? (5) Safe domain combination
- 26. Merge Security Checklist New fields/models? -> ACLs to add? Sensitive fields? New methods? -> Private by default? sudo? -> Double-check scope - record leaks - args t-raw? -> Remove it quickly, unless it's a sanitized Html field getattr? -> Find an alternative, there should be one... (safe)_eval? -> Triple-check! Not for parsing data, right? raw SQL? -> No %, concat or format(), right? Check again! An ow in t o 're ta r…
- 27. Thank you. #odooexperience Security concern? ➢ security@odoo.com EXPERIENCE 2018 Photos credits: https://www.flickr.com/photos/129153735@N02/ https://www.flickr.com/photos/fallentomato/ https://www.flickr.com/photos/popatito_feo/ https://www.flickr.com/photos/medevac71/