/ - Diff - Club Drupal - Forge Centrale Marseille

     Note, custom checks require that its module be enabled. Also, should you be
     skipping any check the 'store' option will not allow that check to be run.
     -- SITE AUDIT USAGE --
     Security Review also integrates with https://www.drupal.org/project/site_audit ,
     a static site analysis platform that generates reports with actionable best
     practice recommendations. Security Review can be installed on an entire
     platform, eliminating the need for module installation.
     To use, put Security Review either in your codebase or in your Drush command
     locations, then:
         # Clear Drush cache.
         drush cc drush
         # Audit security.
         drush audit_security
     ### Marking field content as known to be safe
     The "Dangerous tags in content" check may indicate problems with fields that
     you known are safe. You can create a list of field contents and entities
     that you want to be skipped in future runs by creating a SHA-256 hash of the
     entity_id, entity_type, and field contents. See security_review_check_field
     function in security_review.inc for details.
     -- SUPPORT --
     Please use the issue queue at http://drupal.org/project/security_review for all
     Please use the issue queue at https://drupal.org/project/security_review for all
     module support. You can read more about securely configuring your site at
     http://drupal.org/security/secure-configuration and http://drupalscout.com

     <?php
     /**
      * @file
      * Drush commands for Security Review module.
-...
           'secrev --store' => 'Run the checklist, store, and output the results',
           'secrev --lastrun' => 'Output the stored results from the last run of the checklist'
         ),
         'outputformat' => array(
           'default' => 'table',
           'pipe-format' => 'csv',
           'fields-default' => array('message', 'status'),
           'field-labels' => array(
             'message' => 'Message',
             'status' => 'Status',
             'findings' => 'Findings',
           ),
           'output-data-type' => 'format-table',
         ),
       );
       $items['password-check-setup'] = array(
         'callback' => 'security_review_drush_hash_setup',
         'aliases' => array('passset'),
-...
         $show_results = FALSE;
+      }
       $output = array();
       if (!$lastrun) {
         if (!empty($specific_checks)) {
           // Get specified checks.
-...
         if ($store) {
           security_review_store_results($checklist_results);
+        }
         // Print results.
         // Compile results.
         foreach ($checklist_results as $module => $checks) {
           foreach ($checks as $check_name => $check) {
             _security_review_drush_print_result($check, $short_titles, $show_results);
             if ($result = _security_review_drush_format_result($check, $short_titles, $show_results)) {
               $output[$module . '-' . $check_name] = $result;
+            }
+          }
+        }
+      }
       elseif ($lastrun) {
         // Retrieve results from last run of the checklist.
         $results = security_review_get_stored_results();
         // Print results.
         // Compile results.
         if (!empty($results)) {
           foreach ($results as $result) {
             if (isset($checklist[$result['namespace']][$result['reviewcheck']])) {
               $check = array_merge($result, $checklist[$result['namespace']][$result['reviewcheck']]);
               _security_review_drush_print_result($check, $short_titles, $show_results);
               if ($result = _security_review_drush_format_result($check, $short_titles, $show_results)) {
                 $output[$check['namespace'] . '-' . $check['reviewcheck']] = $result;
+              }
+            }
+          }
+        }
+      }
       return $output;
+    }
     /**
      * Helper function to print Security Review results using drush_log().
      * Helper function to format Security Review results.
+     *
      * @param array $check
      *   Check array with keys 'title', 'success', 'failure', 'result'
-...
      *   message.
      * @param boolean $show_results
      *   Whether to print failed check results.
      * @return NULL
+     *
      * @return array|NULL
      *   An array with the security review check's result, or NULL if no result.
      */
     function _security_review_drush_print_result($check, $short_titles = FALSE, $show_results = FALSE) {
     function _security_review_drush_format_result($check, $short_titles = FALSE, $show_results = FALSE) {
       if (is_null($check['result'])) {
         // Do nothing if result is NULL.
         return;
-...
         $element = $short_titles ? 'title' : 'success';
         $message = $check[$element];
         $status = 'success';
         $findings = $check['value'];
+      }
       else {
         $element = $short_titles ? 'title' : 'failure';
         $message = $check[$element];
         if ($show_results) {
           $results = _security_review_drush_findings_output($check);
           if (!empty($results)) {
             $message .= "\n";
             foreach ($results as $item) {
               $message .= "\t" . $item . "\n";
+            }
         $findings = $check['value'];
         if ($show_results && !empty($findings)) {
           $message .= "\n";
           foreach (_security_review_drush_findings_output($check) as $item) {
             $message .= "\t" . $item . "\n";
+          }
+        }
         $status = 'error';
+      }
       drush_log($message, $status);
       return array(
         'message' => $message,
         'status' => $status,
         'findings' => $findings,
       );
+    }
     function _security_review_drush_findings_output($check) {
-...
         drush_die('File not found');
+      }
+    }
     /**
      * Implements hook_drush_command_alter().
      */
     function security_review_drush_command_alter(&$command) {
       // Adds security_review checks to existing security report.
       if ($command['command'] == 'audit_security') {
         $security_review_checks = array(
           'FilePerms',
           'InputFormats',
           'Field',
           'ErrorReporting',
           'PrivateFiles',
           'UploadExtensions',
           'AdminPermissions',
           'ExecutablePhp',
           'BaseUrlSet',
           'TemporaryFiles',
         );
         foreach ($security_review_checks as $name) {
           $command['checks'][] = array(
             'name' => $name,
             'location' => __DIR__ . '/security_review.site_audit.inc',
           );
+        }
+      }
+    }

+    }
     function theme_security_review_help_options($element) {
       $output .= '<div class="sec-rev-help-option">';
       $output = '<div class="sec-rev-help-option">';
       $output .= l($element['problem'], 'admin/reports/security-review/help', array('fragment' => $element['type'], 'attributes' => array('class' => 'sec-rev-help-dyn')));
       $output .= '<div class="sec-rev-help-content">';
       $output .= '<p>' . $element['description'] . '</p>';
-...
         $element['findings']['descriptions'][] = $skipped_message;
+      }
       elseif ($check && $check['result'] == FALSE) {
         $element['findings']['descriptions'][] = t('The following IPs were observed with an abundanced of failed login attempts.');
         $element['findings']['descriptions'][] = t('The following IPs were observed with an abundance of failed login attempts.');
         foreach ($check['value'] as $ip) {
           $element['findings']['items'][] = array(
             'safe' => check_plain($ip),
-...
     function security_review_check_field_help($check = NULL, $skipped_message = NULL) {
       $element['title'] = t('Dangerous tags in content');
       $element['descriptions'][] = t('Script and PHP code in content does not align with Drupal best practices and may be a vulnerability if an untrusted user is allowed to edit such content. It is recommended you remove such contents.');
       $element['descriptions'][] = t('Script and PHP code in content does not align with Drupal best practices and may be a vulnerability if an untrusted user is allowed to edit such content. It is recommended you remove such contents or add the hash of the content to the security_review_known_risky_fields system variable (see the README.txt for more information).');
       if (!empty($skipped_message)) {
         $element['findings']['descriptions'][] = $skipped_message;
-...
               $uri = $uri_callback($entity);
               $uri = url($uri['path'] . '/edit'); // @todo can this assumption be made?
+            }
             $html = t('@description found in @field field of <a href="!link">@title</a>', array('@field' => $value[$entity->{$id}]['field'], '@description' => $value[$entity->{$id}]['type'], '!link' => $uri, '@title' => $entity->{$label}));
             $html = t('@description found in @field field of <a href="!link">@title</a> (content hash: %hash).', array('@field' => $value[$entity->{$id}]['field'], '@description' => $value[$entity->{$id}]['type'], '!link' => $uri, '@title' => $entity->{$label}, '%hash' => $value[$entity->{$id}]['hash']));
             $element['findings']['items'][] = array(
               'html' => $html,
               'safe' => t('@description in @field field of !url', array('@field' => $value[$entity->{$id}]['field'], '@description' => $value[$entity->{$id}], '!url' => $uri)),
               'raw' => $value[$entity->{$id}] . ':' . $uri,
               'safe' => t('@description in @field field of !url', array('@field' => $value[$entity->{$id}]['field'], '@description' => $value[$entity->{$id}]['type'], '!url' => $uri)),
               'raw' => $value[$entity->{$id}]['field'] . ':' . $uri,
             );
+          }
+        }
-...
             'raw' => $name,
           );
+        }
         $element['findings']['pager'] = theme('pager', NULL, 20);
         //$element['findings']['pager'] = theme('pager', NULL, 20);
+      }
       return $element;

         'success' => t('Untrusted roles do not have administrative or trusted Drupal permissions.'),
         'failure' => t('Untrusted roles have been granted administrative or trusted Drupal permissions.'),
       );
       /*$checks['name_passwords'] = array(
       $checks['name_passwords'] = array(
         'title' => t('Username as password'),
         'callback' => 'security_review_check_name_passwords',
         'success' => t('Trusted accounts do not have their password set to their username.'),
         'failure' => t('Some trusted accounts have set their password the same as their username.'),
       );*/
       );
       // Check dependent on PHP filter being enabled.
       if (module_exists('php')) {
         $checks['untrusted_php'] = array(
-...
       foreach ($untrusted_permissions as $rid => $permissions) {
         $intersect = array_intersect($all_keys, array_keys($permissions));
         foreach ($intersect as $permission) {
           if (isset($all_permissions[$permission]['restrict access'])) {
           if (!empty($all_permissions[$permission]['restrict access'])) {
             $check_result_value[$rid][] = $permission;
+          }
+        }
-...
         return array('result' => $check_result, 'value' => $check_result_value);
+      }
       // Search for PHP or Javascript tags in text columns.
       $known_risky_fields = explode(',', variable_get('security_review_known_risky_fields', ''));
       foreach ($tables as $table => $info) {
         $sql = "SELECT DISTINCT entity_id, entity_type FROM {" . $table . "} WHERE " . $info['column'] . " LIKE :text";
         // Column & table come from field definitions & are safe to use in a query.
         $sql = "SELECT DISTINCT entity_id, entity_type, " . $info['column'] . " AS field_text FROM {" . $table . "} WHERE " . $info['column'] . " LIKE :text";
         // Handle changed? @todo
         foreach (array('Javascript' => '%<script%', 'PHP' => '%<?php%') as $vuln_type => $comparison) {
           $results = db_query($sql, array(':text' => $comparison)); // @pager query?
           foreach ($results as $result) {
             $check_result = FALSE;
             if (!isset($check_result_value[$result->entity_type]) || !array_key_exists($result->entity_id, $check_result_value[$result->entity_type])) {
               $check_result_value[$result->entity_type][$result->entity_id] = array(
                 'type' => $vuln_type,
                 'field' => $info['name'],
               );
               // Only alert on values that are not known to be safe.
               $hash = hash('sha256', implode((array) $result));
               if (!in_array($hash, $known_risky_fields)) {
                 $check_result = FALSE;
                 $check_result_value[$result->entity_type][$result->entity_id] = array(
                   'type' => $vuln_type,
                   'field' => $info['name'],
                   'hash' => $hash,
                 );
+              }
+            }
+          }
+        }
+      }
       return array('result' => $check_result, 'value' => $check_result_value);
+    }
-...
+    }
     function _security_review_weak_passwords($trusted_roles) {
       require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc');
       $weak_users = array();
       // Select users with a trusted role whose password is their username.
       // @todo need to generate passwords in PHP to get salt.
       $sql = "SELECT u.uid, u.name, COUNT(rid) AS count FROM {users} u LEFT JOIN
         {users_roles} ur ON u.uid = ur.uid AND ur.rid in (:rids)
         WHERE pass = md5(name) GROUP BY uid";
       $results = db_query($sql, array(':rids' => $trusted_roles)); // @todo pager_query?
       // Select users with a trusted role.
       $query = db_select('users', 'u');
       $query->leftJoin('users_roles', 'ur', 'u.uid = ur.uid AND ur.rid IN (:rids)', array(':rids' => $trusted_roles));
       $query->fields('u', array('uid', 'name', 'pass'));
       $query->addExpression('COUNT(rid)', 'count');
       $query->groupBy('u.uid');
       $query->groupBy('u.name');
       $query->groupBy('u.pass');
       $results = $query->execute()->fetchAllAssoc('uid');
       // Find users with the same password as their username.
       foreach ($results as $row) {
         $record[] = $row;
         if ($row->count > 0) {
           $weak_users[$row->uid] = $row->name;
         if ($row->count > 0 || $row->uid == 1) {
           // Make a psuedo account object to avoid loading the user.
           $account = (object)array(
             'uid' => $row->uid,
             'name' => $row->name,
             'pass' => $row->pass,
           );
           if (user_check_password($row->name, $account)) {
             $weak_users[$row->uid] = $row->name;
+          }
+        }
+      }
       // Explicitly check uid 1 in case they have no roles.
       $weak_uid1 = db_fetch_object(db_query("SELECT u.uid, u.name, 1 AS count FROM {users} u WHERE pass = md5(name) AND uid = 1"));
       if (!empty($weak_uid1->count)) {
         $weak_users[$weak_uid1->uid] = $weak_uid1->name;
+      }
       return $weak_users;
+    }

     files[] = tests/security_review.test
     configure = admin/reports/security-review/settings
     ; Information added by Drupal.org packaging script on 2014-09-06
     version = "7.x-1.2"
     ; Information added by Drupal.org packaging script on 2017-07-26
     version = "7.x-1.3"
     core = "7.x"
     project = "security_review"
     datestamp = "1410036834"
     datestamp = "1501101849"

      * Implements hook_enable().
      */
     function security_review_enable() {
       drupal_set_message(t('Security Review module enabled. You should first set the module access permissions at !link. Be sure to grant permissions to trusted users only as this module can show senstive site information.', array('!link' => l('admin/people/permissions', 'admin/people/permissions'))));
       drupal_set_message(t('Security Review module enabled. You should first set the module access permissions at !link. Be sure to grant permissions to trusted users only as this module can show sensitive site information.', array('!link' => l('admin/people/permissions', 'admin/people/permissions'))));
+    }
     /**

         $checks[] = array(
           'namespace'   => $record->namespace,
           'reviewcheck' => $record->reviewcheck,
           'result'      => $record->result === '1' ? TRUE : FALSE,
           'result'      => $record->result == '1' ? TRUE : FALSE,
           'lastrun'     => $record->lastrun,
           'skip'        => $record->skip === '1' ? TRUE : FALSE,
           'skip'        => $record->skip == '1' ? TRUE : FALSE,
           'skiptime'    => $record->skiptime,
           'skipuid'     => $record->skipuid,
         );

      * Helper function creates message for reporting check skip information.
      */
     function _security_review_check_skipped($last_check) {
       $account = array_pop(user_load_multiple(array($last_check['skipuid'])));
       $users = user_load_multiple(array($last_check['skipuid']));
       $account = array_pop($users);
       $time = format_date($last_check['skiptime'], 'medium');
       $message = t('Check marked for skipping on !time by !user', array('!time' => $time, '!user' => theme('username', array('account' => $account))));
       return $message;
-...
       else {
         $output = _security_review_help();
         // List all checks as links to specific help.
         $output .= '<h3>' . t('Check-specfic help') . '</h3>';
         $output .= '<h3>' . t('Check-specific help') . '</h3>';
         $output .= '<p>' . t("Details and help on the security review checks. Checks are not always perfectly correct in their procedure and result. Refer to drupal.org handbook documentation if you are unsure how to make the recommended alterations to your configuration or consult the module's README.txt for support.") . '</p>';
         foreach ($checklist as $module => $checks) {
           foreach ($checks as $reviewcheck => $check) {

     <?php
     /**
      * @file
      * Contains \SiteAudit\Check\Security security_review checks.
      */
     /**
      * Class SecurityReviewSiteAuditCheckAbstract
      */
     abstract class SecurityReviewSiteAuditCheckAbstract extends SiteAuditCheckAbstract {
       /**
        * The implementing module.
        * @var string
        */
       protected $module = 'security_review';
       /**
        * The check in question.
        * @var string
        */
       protected $check;
       /**
        * Implements \SiteAudit\Check\Abstract\getLabel().
        */
       public function getLabel() {
         $checks = security_review_get_checklist();
         return $checks[$this->module][$this->check]['title'];
+      }
       /**
        * Implements \SiteAudit\Check\Abstract\getDescription().
        */
       public function getDescription() {
         $checks = security_review_get_checklist();
         return dt('Security Check of @title', array(
           '@title' => $checks[$this->module][$this->check]['title'],
         ));
+      }
       /**
        * Implements \SiteAudit\Check\Abstract\getResultFail().
        */
       public function getResultFail() {
         $ret_val = $this->registry[$this->module][$this->check]['failure'];
         if (isset($this->registry[$this->module][$this->check]['value'])) {
           if (is_array($this->registry[$this->module][$this->check]['value'])) {
             $ret_val .= $this->generateUl($this->registry[$this->module][$this->check]['value'], drush_get_option('html'));
+          }
           elseif ($this->registry[$this->module][$this->check]['value']) {
             $ret_val .= ' Additional: "' . $this->registry[$this->module][$this->check]['value'] . '"';
+          }
+        }
         return $ret_val;
+      }
       /**
        * Generates an unordered list or flattened text version of a nested array.
+       *
        * @param array $array
        *   Security Review results.
        * @param bool $html
        *   TRUE if the result should be rendered as HTML.
        * @param int $indentation
        *   The number of spaces; defaults to 6.
+       *
        * @return string
        *   Formatted result.
        */
       private function generateUl($array, $html = TRUE, $indentation = 6) {
         $result = $html ? '<ul>' : '';
         foreach ($array as $key => $value) {
           $result .= $html ? '<li>' : PHP_EOL . str_repeat(' ', $indentation);
           $result .= $key . ': ';
           if (is_array($value)) {
             $result .= $this->generateUl($value, $html, $indentation + 2);
+          }
           elseif (isset($value->name) && $value->name) {
             $result .= $value->name;
+          }
           elseif ($value) {
             $result .= $value;
+          }
           $result .= $html ? '</li>' : '';
+        }
         $result .= $html ? '</ul>' : '';
         return $result;
+      }
       /**
        * Implements \SiteAudit\Check\Abstract\getResultInfo().
        */
       public function getResultInfo() {}
       /**
        * Implements \SiteAudit\Check\Abstract\getResultPass().
        */
       public function getResultPass() {
         return $this->registry[$this->module][$this->check]['success'];
+      }
       /**
        * Implements \SiteAudit\Check\Abstract\getResultWarn().
        */
       public function getResultWarn() {}
       /**
        * Implements \SiteAudit\Check\Abstract\getAction().
        */
       public function getAction() {}
       /**
        * Implements \SiteAudit\Check\Abstract\calculateScore().
        */
       public function calculateScore() {
         $checks = security_review_get_checklist();
         $checklist_results = security_review_run(array(
           $this->module => array($checks[$this->module][$this->check]),
         ));
         $this->registry[$this->module][$this->check] = $checklist_results['security_review'][0];
         if (!$this->registry[$this->module][$this->check]['result']) {
           return SiteAuditCheckAbstract::AUDIT_CHECK_SCORE_FAIL;
+        }
         else {
           return SiteAuditCheckAbstract::AUDIT_CHECK_SCORE_PASS;
+        }
+      }
+    }
     class SiteAuditCheckSecurityFilePerms extends SecurityReviewSiteAuditCheckAbstract {
       protected $check = 'file_perms';
       /**
        * Implements \SiteAudit\Check\Abstract\getResultWarn().
        */
       public function getResultFail() {
         if (drush_get_option('detail')) {
           return parent::getResultFail();
+        }
         return $this->registry[$this->module][$this->check]['failure'];
+      }
+    }
     class SiteAuditCheckSecurityInputFormats extends SecurityReviewSiteAuditCheckAbstract {
       protected $check = 'input_formats';
+    }
     class SiteAuditCheckSecurityField extends SecurityReviewSiteAuditCheckAbstract {
       protected $check = 'field';
+    }
     class SiteAuditCheckSecurityErrorReporting extends SecurityReviewSiteAuditCheckAbstract {
       protected $check = 'error_reporting';
+    }
     class SiteAuditCheckSecurityPrivateFiles extends SecurityReviewSiteAuditCheckAbstract {
       protected $check = 'private_files';
+    }
     class SiteAuditCheckSecurityUploadExtensions extends SecurityReviewSiteAuditCheckAbstract {
       protected $check = 'upload_extensions';
+    }
     class SiteAuditCheckSecurityAdminPermissions extends SecurityReviewSiteAuditCheckAbstract {
       protected $check = 'admin_permissions';
+    }
     class SiteAuditCheckSecurityExecutablePhp extends SecurityReviewSiteAuditCheckAbstract {
       protected $check = 'executable_php';
+    }
     class SiteAuditCheckSecurityBaseUrlSet extends SecurityReviewSiteAuditCheckAbstract {
       protected $check = 'base_url_set';
+    }
     class SiteAuditCheckSecurityTemporaryFiles extends SecurityReviewSiteAuditCheckAbstract {
       protected $check = 'temporary_files';
+    }

drupal7/sites/all/modules/security_review/tests/security_review.test
31	31	'create article content',
32	32	'administer nodes',
33	33	'administer content types',
	34	'administer fields',
34	35	));
35	36	$this->drupalLogin($this->privileged_user);
36	37	}

Projet

Général

Profil

Club Drupal

Révision 6ae446a4

Ajouté par Assos Assos il y a environ 7 ans