Professional Documents
Culture Documents
Odoo Security.: Recap of Common Developer Mistakes
Odoo Security.: Recap of Common Developer Mistakes
Odoo Security.: Recap of Common Developer Mistakes
User-
provided
And when you must eval(), data
be doubly careful
Custom piece of
logic
Parametrized
rendering
MISTAKE #2: public vs private methods
Public Private
def compute_this(self): def _compute_this(self):
MISTAKE #2: public vs private methods
No, really!
MISTAKE
GOAL. #3: t-raw = XSS vector
t-field=”task.name“
What’s Markup?
t-esc=”task.name“ t-out=”task.name“ - qweb rendering
results
t-raw=”sanitized_body“ t-out=”sanitized_body“ - fields.Html values
- your own
Markup(...)
See also: odoo.com/r/nbY
BEFORE 🤔 NOW! 😀
MISTAKE
GOAL. #4: nonsense with getattr/setattr
Why, oh
why?
MISTAKE
GOAL. #4: nonsense with getattr/setattr
Why, oh
why?
Why not
this?
MISTAKE
GOAL. #5: handcrafted SQL
Separate
code vs
parameters
https://www.odoo.com/r/h3s
Security - Merge checklist
New fields/models? -> ACLs to add? Sensitive fields?
New methods? -> Private by default?