Security is hard. In 2019, keeping web applications secure is an incredibly difficult task, in the face of ever-increasing diversity of software security problems. The goal of this talk is to give developers hints and best practices for ensuring the security of their Odoo code and avoiding common pitfalls. Based on the famous OWASP Top 10, and a history of security trainings given in Odoo R&D, this presentation will attempt to cover the most common security bugs found in Odoo apps, describing how they work, their impact, and how to detect and fix them during code reviews.
Prerequisites: some development experience, not necessarily in Odoo, but ideally in Python and/or Javascript. Most of the issues will be discussed on a high level, but there will also be a few specific code analysis examples.
19. A5. BROKEN ACCESS CONTROL / IDOR
NEW
MODEL
ACCESS
CONTROL LISTS
(per-role access)
RECORD RULES
(per-user filters)
FIELD
RESTRICTIONS
(sensitive data)
35. REVIEW
CHECKLIST
01
CONTROL ACCESS
Groups, ACLs, Rules and
Fields
02
VERIFY PERMISSIONS
sudo(), controllers, private
methods
03
CHECK TEMPLATES
t-raw, untrusted input escaped
04
SAFE EVAL
Eval only trusted input, iff
impossible to avoid
BLOCK INJECTIONS
05 Double-check manual SQL,
shell commands, etc.
XSS PREVENTION
06 DOM, Stored, Reflected, look
for the signs!
36. THANKS!
Do you have any questions?
security@odoo.com
@odony
CREDITS: Presentation made with icons by
FlatIcon. Font: Exo2
Related talks:
2018 “How to break Odoo’s Security”
https://odoo.com/r/A1l
2017 “Safer Odoo Code”
https://odoo.com/r/dbN