SlideShare a Scribd company logo

Safer Odoo Code [Odoo Experience 2017]

O
Olivier Dony

The document outlines the security framework of Odoo, detailing measures the security team implements to protect against vulnerabilities, with a focus on compliance with OWASP top 10 threats. It highlights common coding mistakes made by developers and emphasizes improved security features implemented in newer versions of the platform. The document encourages developers to engage with the security team for any inquiries or issues related to application security.

Software
1 of 40
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
SAFER Odoo Code Olivier Dony Platform & Security security@odoo.com - @odony 2017 EXPERIENCE and the pursuit thereof...
GOALS. 1. Word about our security team 2. Framework security features 3. Evolutions 4. Recap of common mistakes
GOAL. A word about the Odoo security team
MISSIONS Single point of contact - security@odoo.com Priority answer (~24h) Disclosure process & policy odoo.com/security-report Questions, audit reviews, bugs,... Internal reviews (transversal) Raising awareness Security Advisories (CVEs)
Launch Year after year...
150+ TICKETS Self-XSS FALSEPOSITIVE DKIM/DMARC Policy SSL modulus Version discl. Unexploitable XSS XSS Broken authentication Code Exec. REALTHREAT Phishing Path discl. Audit review This year...
The visible parts of the iceberg
Our heroes...
GOAL. Framework security features
THE SECURITY MODEL Business Data DATA ACCESS LAYER ACCESS CONTROL Groups ACL Rules ODOO APPS
OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards
OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards
OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives
OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions
OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions High-level templ. language
OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions High-level templ. language CRUD-level access control
OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions High-level templ. language CRUD-level access control CRUD-level access control
OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions High-level templ. language CRUD-level access control CRUD-level access control CSRF protection for forms
OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions High-level templ. language CRUD-level access control CRUD-level access control CSRF protection for forms Reduced sets of deps.
GOAL. Highlight framework security-related evolutions
Extra security logs
HTTP-only session cookies
Encrypted master password* *hashed, of course (PBKDF2-SHA512)
Database manager can be deactivated RPC calls blocked too! --no-database-list will now block access to database management screens
Encrypted database connections (tcp) SSL mode Eavesdrop MITM disable / / allow ? / prefer ? / require OK / verify-ca OK ~OK verify-full OK OK
No more Pickle! Welcome JSON!
Restricted system parameters Admin-only access!
Hardened access rights on internal data Odoo 10 Odoo 11
GOAL. Recap of common coding mistakes
GOAL.MISTAKE #1: using eval to parse text It breaks the barrier between code and data
GOAL.MISTAKE #1: using eval to parse text There are smarter and safer ways to parse literals Language Data type Suitable parser Python int, float, etc. int(), float() Javascript int, float, etc. parseInt(), parseFloat() Python dict json.loads(), ast.literal_eval() Javascript object JSON.parse() ... ... ...
GOAL.MISTAKE #1: using eval to parse text And when you must eval(), be doubly careful Custom piece of logic Parametrized rendering User- provided data Worried developer
GOAL.MISTAKE #2: handcrafted SQL It’s easy to get it wrong
GOAL.MISTAKE #2: handcrafted SQL It’s easy to get it wrong Nope, you can’t do that
GOAL.MISTAKE #2: handcrafted SQL It’s easy to get it wrong Separate code vs parameters
GOAL.MISTAKE #3: XSS vectors t-esc=”task.name“ t-raw=”task.name“ t-raw=”sanitized_body“ YES! ☺ NO! 😠 MAYBE… ☹ t-field=”task.name“ <span t-field=”task.name” t-attf-class=”o_task_{{task.state}}“ /> task_cls = ‘o_task_%s‘ % task.state task = ‘<span class=”%s”/>%s’ % ( task_cls, task.name ) ... <span t-raw=”task“/> task_cls = ‘o_task_%s‘ % escape(task.state) task = ‘<span class=”%s”/>%s’ % ( task_cls, escape(task.name) ) ... <span t-raw=”task“/>
MISTAKE #4: careless sudo usage Keep the sudo scope as limited as possible Review 2x all calls done as super-user, watch out for leaked objects and side-effects
And there's more... Other examples and explanations in "Top 10 rules" talk from Odoo Experience 2016. https://www.odoo.com/r/h3s
TAKEAWAYS. The framework tries to protect you from harm... as long as you don’t bypass the protections! And it's improving year after year… Get in touch with us whenever you have security questions… security@odoo.com
SAFER Odoo Code Olivier Dony Platform & Security security@odoo.com 2017 EXPERIENCE and the pursuit thereof... Photos credits: https://www.flickr.com/photos/steve_rider/ https://www.flickr.com/photos/ericprunier/ https://www.flickr.com/photos/jezbags/ https://www.flickr.com/photos/150472095@N05/ https://www.flickr.com/photos/loosetrucks/

More Related Content

PDF
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
ElínAnna Jónasdóttir
 
PDF
10 Rules for Safer Code [Odoo Experience 2016]
Olivier Dony
 
PDF
Odoo Code Hardening [Odoo Experience 2019]
Olivier Dony
 
PDF
Secure code
ddeogun
 
PDF
David Thiel - Secure Development On iOS
Source Conference
 
PPT
香港六合彩
baoyin
 
PDF
Secure by Design Microservices & Integrations
Ballerina
 
PDF
Applications secure by default
SecuRing
 
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
ElínAnna Jónasdóttir
 
10 Rules for Safer Code [Odoo Experience 2016]
Olivier Dony
 
Odoo Code Hardening [Odoo Experience 2019]
Olivier Dony
 
Secure code
ddeogun
 
David Thiel - Secure Development On iOS
Source Conference
 
香港六合彩
baoyin
 
Secure by Design Microservices & Integrations
Ballerina
 
Applications secure by default
SecuRing
 

What's hot (20)

PDF
AuthN & AuthZ testing: it’s not only about the login form
Diana Pinchuk
 
PDF
Simplified Security Code Review Process
Sherif Koussa
 
PDF
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
PPT
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
PDF
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Websecurify
 
PPT
Intro to Web Application Security
Rob Ragan
 
PPTX
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
PPT
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
PDF
Web application security (eng)
Anatoliy Okhotnikov
 
PDF
Attques web
Tarek MOHAMED
 
PPTX
Hack and Slash: Secure Coding
Prathan Phongthiproek
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
PDF
Owasp and friends
Mažvydas Skuodas
 
ODP
Top 10 Web Security Vulnerabilities
Carol McDonald
 
PDF
Beyond OWASP Top 10 - Hack In Paris 2017
Aaron Hnatiw
 
PPTX
Web application Security tools
Nico Penaredondo
 
PPT
Methods to Bypass a Web Application Firewall Eng
Dmitry Evteev
 
PPTX
Secure coding - Balgan - Tiago Henriques
Tiago Henriques
 
PDF
t r
electronicmingle01
 
ODP
OWASP Secure Coding
bilcorry
 
AuthN & AuthZ testing: it’s not only about the login form
Diana Pinchuk
 
Simplified Security Code Review Process
Sherif Koussa
 
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Websecurify
 
Intro to Web Application Security
Rob Ragan
 
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
Web application security (eng)
Anatoliy Okhotnikov
 
Attques web
Tarek MOHAMED
 
Hack and Slash: Secure Coding
Prathan Phongthiproek
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Owasp and friends
Mažvydas Skuodas
 
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Beyond OWASP Top 10 - Hack In Paris 2017
Aaron Hnatiw
 
Web application Security tools
Nico Penaredondo
 
Methods to Bypass a Web Application Firewall Eng
Dmitry Evteev
 
Secure coding - Balgan - Tiago Henriques
Tiago Henriques
 
t r
electronicmingle01
 
OWASP Secure Coding
bilcorry
 
Ad

Similar to Safer Odoo Code [Odoo Experience 2017] (20)

PDF
According to owasp, there are eight reasons why odoo is the most secure platform
Geminate Consultancy Services
 
PPTX
Security: Odoo Code Hardening
Odoo
 
PPT
Secure code practices
Hina Rawal
 
PPT
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
PDF
10 Rules for Safer Code
Quang Ngoc
 
PPTX
OWASP Top Ten 2017
Michael Furman
 
PDF
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
PDF
«(Без)опасный Python», Иван Цыганов, Positive Technologies
it-people
 
PDF
(Un)safe Python
Ivan Tsyganov
 
PDF
Making Web Development "Secure By Default"
Duo Security
 
PDF
Web Security... Level Up
Izzet Mustafaiev
 
PPTX
The path of secure software by Katy Anton
DevSecCon
 
PPTX
OWASP top 10-2013
tmd800
 
PDF
OWASP Top 10 List Overview for Web Developers
Benjamin Floyd
 
PPTX
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
PDF
2013 OWASP Top 10
bilcorry
 
PDF
Secure coding guidelines
Zakaria SMAHI
 
PPTX
Secure practices with dot net services.pptx
Knoldus Inc.
 
PDF
API Security Best Practices and Guidelines
WSO2
 
PDF
OWASP Top Ten in Practice
Security Innovation
 
According to owasp, there are eight reasons why odoo is the most secure platform
Geminate Consultancy Services
 
Security: Odoo Code Hardening
Odoo
 
Secure code practices
Hina Rawal
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
10 Rules for Safer Code
Quang Ngoc
 
OWASP Top Ten 2017
Michael Furman
 
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
«(Без)опасный Python», Иван Цыганов, Positive Technologies
it-people
 
(Un)safe Python
Ivan Tsyganov
 
Making Web Development "Secure By Default"
Duo Security
 
Web Security... Level Up
Izzet Mustafaiev
 
The path of secure software by Katy Anton
DevSecCon
 
OWASP top 10-2013
tmd800
 
OWASP Top 10 List Overview for Web Developers
Benjamin Floyd
 
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
2013 OWASP Top 10
bilcorry
 
Secure coding guidelines
Zakaria SMAHI
 
Secure practices with dot net services.pptx
Knoldus Inc.
 
API Security Best Practices and Guidelines
WSO2
 
OWASP Top Ten in Practice
Security Innovation
 
Ad

Recently uploaded (20)

PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
Product Update: Alluxio AI 3.7 Now with Sub-Millisecond Latency
Alluxio, Inc.
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
AutoCAD Professional Crack 2025 With License Key
youngle786g
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PPTX
AMADEUS TRAVEL AGENT SOFTWARE | AMADEUS TICKETING SYSTEM
philipnathen82
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PPTX
Weekly report ppt - harsh dattuprasad patel.pptx
bikerslovers123
 
PPTX
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
CapCut Video Editor 6.8.1 Crack for PC Latest Download (Fully Activated) 2025
itskinga12
 
PPTX
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
PPTX
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PPTX
WiFi Honeypot Detecscfddssdffsedfseztor.pptx
singlesrihari
 
PDF
Tally Prime Crack Download New Version 5.1 [2025] (License Key Free
itskinga12
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
DOCX
Greta — No-Code AI for Building Full-Stack Web & Mobile Apps
niloyislam1187
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Product Update: Alluxio AI 3.7 Now with Sub-Millisecond Latency
Alluxio, Inc.
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
AutoCAD Professional Crack 2025 With License Key
youngle786g
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
AMADEUS TRAVEL AGENT SOFTWARE | AMADEUS TICKETING SYSTEM
philipnathen82
 
assetexplorer- product-overview - presentation
nonameist3434
 
Weekly report ppt - harsh dattuprasad patel.pptx
bikerslovers123
 
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
CapCut Video Editor 6.8.1 Crack for PC Latest Download (Fully Activated) 2025
itskinga12
 
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
WiFi Honeypot Detecscfddssdffsedfseztor.pptx
singlesrihari
 
Tally Prime Crack Download New Version 5.1 [2025] (License Key Free
itskinga12
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Greta — No-Code AI for Building Full-Stack Web & Mobile Apps
niloyislam1187
 

Safer Odoo Code [Odoo Experience 2017]

  • 1. SAFER Odoo Code Olivier Dony Platform & Security security@odoo.com - @odony 2017 EXPERIENCE and the pursuit thereof...
  • 2. GOALS. 1. Word about our security team 2. Framework security features 3. Evolutions 4. Recap of common mistakes
  • 3. GOAL. A word about the Odoo security team
  • 4. MISSIONS Single point of contact - security@odoo.com Priority answer (~24h) Disclosure process & policy odoo.com/security-report Questions, audit reviews, bugs,... Internal reviews (transversal) Raising awareness Security Advisories (CVEs)
  • 6. 150+ TICKETS Self-XSS FALSEPOSITIVE DKIM/DMARC Policy SSL modulus Version discl. Unexploitable XSS XSS Broken authentication Code Exec. REALTHREAT Phishing Path discl. Audit review This year...
  • 7. The visible parts of the iceberg
  • 10. THE SECURITY MODEL Business Data DATA ACCESS LAYER ACCESS CONTROL Groups ACL Rules ODOO APPS
  • 11. OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards
  • 12. OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards
  • 13. OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives
  • 14. OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions
  • 15. OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions High-level templ. language
  • 16. OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions High-level templ. language CRUD-level access control
  • 17. OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions High-level templ. language CRUD-level access control CRUD-level access control
  • 18. OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions High-level templ. language CRUD-level access control CRUD-level access control CSRF protection for forms
  • 19. OWASP Top 10 The Odoo framework is designed to help developers avoid those common pitfalls OWASP Top 10 (2013) A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards High level query primitives Built-in sessions High-level templ. language CRUD-level access control CRUD-level access control CSRF protection for forms Reduced sets of deps.
  • 23. Encrypted master password* *hashed, of course (PBKDF2-SHA512)
  • 24. Database manager can be deactivated RPC calls blocked too! --no-database-list will now block access to database management screens
  • 25. Encrypted database connections (tcp) SSL mode Eavesdrop MITM disable / / allow ? / prefer ? / require OK / verify-ca OK ~OK verify-full OK OK
  • 28. Hardened access rights on internal data Odoo 10 Odoo 11
  • 29. GOAL. Recap of common coding mistakes
  • 30. GOAL.MISTAKE #1: using eval to parse text It breaks the barrier between code and data
  • 31. GOAL.MISTAKE #1: using eval to parse text There are smarter and safer ways to parse literals Language Data type Suitable parser Python int, float, etc. int(), float() Javascript int, float, etc. parseInt(), parseFloat() Python dict json.loads(), ast.literal_eval() Javascript object JSON.parse() ... ... ...
  • 32. GOAL.MISTAKE #1: using eval to parse text And when you must eval(), be doubly careful Custom piece of logic Parametrized rendering User- provided data Worried developer
  • 33. GOAL.MISTAKE #2: handcrafted SQL It’s easy to get it wrong
  • 34. GOAL.MISTAKE #2: handcrafted SQL It’s easy to get it wrong Nope, you can’t do that
  • 35. GOAL.MISTAKE #2: handcrafted SQL It’s easy to get it wrong Separate code vs parameters
  • 36. GOAL.MISTAKE #3: XSS vectors t-esc=”task.name“ t-raw=”task.name“ t-raw=”sanitized_body“ YES! ☺ NO! 😠 MAYBE… ☹ t-field=”task.name“ <span t-field=”task.name” t-attf-class=”o_task_{{task.state}}“ /> task_cls = ‘o_task_%s‘ % task.state task = ‘<span class=”%s”/>%s’ % ( task_cls, task.name ) ... <span t-raw=”task“/> task_cls = ‘o_task_%s‘ % escape(task.state) task = ‘<span class=”%s”/>%s’ % ( task_cls, escape(task.name) ) ... <span t-raw=”task“/>
  • 37. MISTAKE #4: careless sudo usage Keep the sudo scope as limited as possible Review 2x all calls done as super-user, watch out for leaked objects and side-effects
  • 38. And there's more... Other examples and explanations in "Top 10 rules" talk from Odoo Experience 2016. https://www.odoo.com/r/h3s
  • 39. TAKEAWAYS. The framework tries to protect you from harm... as long as you don’t bypass the protections! And it's improving year after year… Get in touch with us whenever you have security questions… security@odoo.com
  • 40. SAFER Odoo Code Olivier Dony Platform & Security security@odoo.com 2017 EXPERIENCE and the pursuit thereof... Photos credits: https://www.flickr.com/photos/steve_rider/ https://www.flickr.com/photos/ericprunier/ https://www.flickr.com/photos/jezbags/ https://www.flickr.com/photos/150472095@N05/ https://www.flickr.com/photos/loosetrucks/