Recent years have seen a steady increase in the digital threats faced by businesses, small and large alike. The security of business and personal data becomes more and more important every day, and the arrival of new regulation such as GDPR adds legal burden to the existing business risk. XSS, CSRF, SQL injection, broken authentication, data leak, and so on. All kinds of security problems happen every day, even to the biggest companies. We can't stop that, but we can at least prepare for it, by carefully considering the risks, and integrating best practices into daily coding tasks. Before trying to break it, the talk will first describe the Odoo Security Model, with a quick recap of the key features built into the framework to help developers design secure Apps. Then we'll explore a few real-life coding examples. We'll show how the security features are used in practice, and how they can be defeated if the developers are not careful, compromising the whole security of the system. Analyzing these examples will give substance and context to the security primitives, and help new and experienced developers integrate best practices into their development workflow.

1. How to Break Odoo's Security
Olivier DONY • Platform & Security
(or how to prevent it :-))
EXPERIENCE
2018
security@odoo.com - @odony

2. Odoo Security Team
★ Audit / Review source code
★ Analyze customer audits
★ Raise awareness
★ Monitor security@odoo.com
★ Responsible Disclosure Process
★ Security Advisories
odoo.com/security-report
★ Now an Official CVE Numbering
Authority (CNA)!

3. THE SECURITY
MODEL Business
Data
DATA
ACCESS
LAYER
ACCESS CONTROL
Groups
ACLs
Rules
APPS

4. GroupA
GroupB
User
Multi-Level Access Control
data
User wants to
access data
ir.model.access
(groups)
ir.rule
(groups)
ir.rule
(global)
Per-field @groups

5. Multi-Level Access Control
User wants to
access data
GroupA
GroupB
User
data
ir.model.access
(groups)
ir.rule
(groups)
ir.rule
(global)
Per-field @groups

6. data
Multi-Level Access Control
GroupA
GroupB
User
ir.model.access
(groups)
ir.rule
(groups)
ir.rule
(global)
Per-field @groups

7. Multi-Level Access Control
Each layer controls separately the 4 CRUD operations
Create Read Update Delete
GroupA
GroupB
User
data
ir.model.access
(groups)
ir.rule
(groups)
ir.rule
(global)
Per-field @groups

8. ir.model.access
(groups)
ir.rule
(groups)
ir.rule
(global)
Per-field @groups
Multi-Level Access Control
These layers controls separately the 4 CRUD operations
Create Read Update Delete
a.k.a CRWU
Create
Read
Write
Unlink
GroupA
GroupB
User
data

9. Correct ACLs are key for securing an Odoo App
fleet/
controllers/
data/
models/
views/
security/
ir.model.access.csv
security.xml
fleet.vehicle fleet.contract
<record model="res.groups" id="group_manager">
<field name="name">Fleet Manager</field>
</record>
model group C R W U
fleet.vehicle base.group_user 0 1 0 0
fleet.vehicle fleet.group_manager 1 1 1 1
fleet.contract fleet.group_manager 1 1 1 1
<record model="ir.rule" id="rule_fleet_user">
<field name="model_id" ref="model_fleet_vehicle"/>
<field name="groups" eval="[(4, ref('base.group_user'))]"/>
<field name="domain_force">
[('driver_id', '=', user.id)]
</field>
</record>

10. Common vulnerabilities?
Injection
(SQL, Code, …)
Access Control
(Wrong checks)
Broken Auth
(Sessions/Cred)
Information
Leaks
Security
Misconfiguration
Cross-site
scripting (XSS)
Covered.
Cross-Site
Request
Forgery
(CSRF/XSRF)

11. So, how do we break in?

12. Breaks security? (1)

13. Breaks security. (1)
SQL Injection!

14. Bobby Tables...

15. Breaks security? (2)
NOPE, but close!
Ugly but not injectable

16. Breaks security? (3)

17. Breaks security? (3)
ACCESS
CONTROL!

18. Breaks security? (3)

19. Breaks security? (4)

20. Breaks security? (4)

21. Breaks security? (4)

22. Breaks security? (4)
ACCESS
CONTROL!
Accepts arbitrary fields, not just
those in the form: unsafe sudo!!

23. Breaks security? (5)
DATA LEAK!
Unsafe domain concat
Could receive partial domain: ['|',('body','ilike','password'),'&']
Result: ['|',('body','ilike','password'),
'&',('model','=','sale.order'),
('res_id','=',res_id)]

24. Breaks security? (5)
Safe domain
combination

25. There's more...
https://www.odoo.com/r/h3shttps://www.odoo.com/r/dbN

26. Merge Security Checklist
New fields/models? -> ACLs to add? Sensitive fields?
New methods? -> Private by default?
sudo? -> Double-check scope - record leaks - args
t-raw? -> Remove it quickly, unless it's a sanitized Html field
getattr? -> Find an alternative, there should be one...
(safe)_eval? -> Triple-check! Not for parsing data, right?
raw SQL? -> No %, concat or format(), right? Check again!
An ow in t o 're ta r…

27. Thank you.
#odooexperience
Security concern? ➢ security@odoo.com
EXPERIENCE
2018
Photos credits:
https://www.flickr.com/photos/129153735@N02/
https://www.flickr.com/photos/fallentomato/
https://www.flickr.com/photos/popatito_feo/
https://www.flickr.com/photos/medevac71/