Scribd Logo
Upload

Welcome to Scribd!

  • 50 views

    Odoo Security.: Recap of Common Developer Mistakes

    Uploaded by

    Nam Vo
    This document discusses common security mistakes made by Odoo developers and provides recommendations. It identifies six main mistakes: 1) Using eval() to parse text instead of the appropriate parsing functions, 2) Making all model methods public by default instead of private, 3) Using t-raw instead of t-esc or t-out to prevent XSS vulnerabilities, 4) Using getattr/setattr unnecessarily, 5) Writing handcrafted SQL queries instead of using the ORM, and 6) Careless use of sudo that could expose records or have unintended side effects. The document emphasizes making methods private by default, avoiding t-raw, and double checking any sudo usage or direct SQL.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Odoo Security.: Recap of Common Developer Mistakes

    Uploaded by

    Nam Vo
    50 views18 pages
    This document discusses common security mistakes made by Odoo developers and provides recommendations. It identifies six main mistakes: 1) Using eval() to parse text instead of the appropriate parsing functions, 2) Making all model methods public by default instead of private, 3) Using t-raw instead of t-esc or t-out to prevent XSS vulnerabilities, 4) Using getattr/setattr unnecessarily, 5) Writing handcrafted SQL queries instead of using the ORM, and 6) Careless use of sudo that could expose records or have unintended side effects. The document emphasizes making methods private by default, avoiding t-raw, and double checking any sudo usage or direct SQL.

    Original Description:

    Original Title

    Untitled

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses common security mistakes made by Odoo developers and provides recommendations. It identifies six main mistakes: 1) Using eval() to parse text instead of the appropriate parsing functions, 2) Making all model methods public by default instead of private, 3) Using t-raw instead of t-esc or t-out to prevent XSS vulnerabilities, 4) Using getattr/setattr unnecessarily, 5) Writing handcrafted SQL queries instead of using the ORM, and 6) Careless use of sudo that could expose records or have unintended side effects. The document emphasizes making methods private by default, avoiding t-raw, and double checking any sudo usage or direct SQL.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    50 views18 pages

    Odoo Security.: Recap of Common Developer Mistakes

    Uploaded by

    Nam Vo
    This document discusses common security mistakes made by Odoo developers and provides recommendations. It identifies six main mistakes: 1) Using eval() to parse text instead of the appropriate parsing functions, 2) Making all model methods public by default instead of private, 3) Using t-raw instead of t-esc or t-out to prevent XSS vulnerabilities, 4) Using getattr/setattr unnecessarily, 5) Writing handcrafted SQL queries instead of using the ORM, and 6) Careless use of sudo that could expose records or have unintended side effects. The document emphasizes making methods private by default, avoiding t-raw, and double checking any sudo usage or direct SQL.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 18

    Odoo Security.

    Recap of common developer mistakes


    MISTAKE
    GOAL. #1: using eval to parse text

    It breaks the barrier between code and data


    MISTAKE
    GOAL. #1: using eval to parse text
    Language Data type Suitable parser
    Python int, float, etc. int(), float()

    Javascript int, float, etc. parseInt(), parseFloat()

    Python dict json.loads(), ast.literal_eval()

    Javascript object JSON.parse()

    ... ... ...

    There are smarter and safer ways to parse literals


    MISTAKE
    GOAL. #1: using eval to parse text
    Worried developer

    User-
    provided
    And when you must eval(), data

    be doubly careful

    Custom piece of
    logic

    Parametrized
    rendering
    MISTAKE #2: public vs private methods

    Every model method you write should be private


    by default !
    …until you find that you really really need to call it via RPC.
    Then you have to care about securing it harder (ACL checks, etc.)
    MISTAKE #2: public vs private methods

    Every model method you write should be private


    by default !
    …until you find that you really really need to call it via RPC.
    Then you have to care about securing it harder (ACL checks, etc.)

    Public Private
    def compute_this(self): def _compute_this(self):
    MISTAKE #2: public vs private methods

    No, really!
    MISTAKE
    GOAL. #3: t-raw = XSS vector

    t-esc=”task.name“ t-raw=”task.name“ t-raw=”sanitized_body“

    t-field=”task.name“

    task_cls = ‘o_task_%s‘ % \ task_cls = (‘o_task_%s‘ %)


    task.state escape(task.state))
    <span t-field=”task.name” task = ‘<span class=”%s”/>%s’ % ( task = ‘<span class=”%s”/>%s’ % (
    t-attf-class=”o_task_{{task.state}}“ task_cls, task.name task_cls, escape(task.name)
    /> ) )
    ... ...
    <span t-raw=”task“/> <span t-raw=”task“/>

    YES! 🙂 NO! 😠 MAYBE… 🤨


    NE
    W
    MISTAKE
    GOAL. #3: t-raw ⇨ t-out in v
    15.0
    !

    New t-out directive: automatically adapts to the value!


    Strings = auto-escaped (like t-esc)
    Markup = passthrough (like t-raw)

    What’s Markup?
    t-esc=”task.name“ t-out=”task.name“ - qweb rendering
    results
    t-raw=”sanitized_body“ t-out=”sanitized_body“ - fields.Html values
    - your own
    Markup(...)
    See also: odoo.com/r/nbY

    BEFORE 🤔 NOW! 😀
    MISTAKE
    GOAL. #4: nonsense with getattr/setattr

    Why, oh
    why?
    MISTAKE
    GOAL. #4: nonsense with getattr/setattr

    Why, oh
    why?

    Why not
    this?
    MISTAKE
    GOAL. #5: handcrafted SQL

    It’s easy to get it wrong


    MISTAKE
    GOAL. #5: handcrafted SQL

    Nope, you can’t


    do that

    It’s easy to get it wrong


    MISTAKE
    GOAL. #5: handcrafted SQL

    Separate
    code vs
    parameters

    It’s easy to get it wrong


    MISTAKE #6: careless sudo usage

    Keep the sudo scope as limited as


    possible

    Review 2x all calls done as super-user,


    watch out for leaked objects and side-
    effects
    And there's more...

    Other examples and explanations in


    "Top 10 rules" talk from Odoo
    Experience 2016.

    https://www.odoo.com/r/h3s
    Security - Merge checklist
    New fields/models? -> ACLs to add? Sensitive fields?
    New methods? -> Private by default?

    sudo? -> Double-check scope - record leaks - args

    t-raw? -> Remove it, then seek medical advice… ;-)

    getattr? -> Find an alternative, there should be one...


    (safe)_eval? -> Triple-check! Not for parsing data, right?
    raw SQL? -> No %, concat or format(), right? Check again!
    Merge checklist
    New fields/models? -> ACLs to add? Sensitive fields?
    New methods? -> Private by default?

    sudo? -> Double-check scope - record leaks - args

    t-raw? -> Remove it, then seek medical advice… ;-)

    getattr? -> Find an alternative, there should be one...


    (safe)_eval? -> Triple-check! Not for parsing data, right?
    raw SQL? -> No %, concat or format(), right? Check again!

    And now imagine that you're an attacker…

    You might also like