I only checked a single function and found 2 security issues. I haven't check the rest of the code, there is probably more like this.

* IMPORTANT *
When creating a SQL query, URL query, outputting a URL parameter in the page, etc., the variables MUST BE sanitized! Drupal offer many function to do this. Use them to avoid serious security issues.
https://api.drupal.org/api/drupal/includes!common.inc/group/sanitization/7

File: biblio.crossref.client.php
Function: fetch()
URL INJECTION!!!
Line: 56
CHANGE THIS:
    $this->query = $this->url . '?pid=' . $this->pid . '&noredirect=true&format=unixref&id=doi%3A' . $this->doi;
TO THIS:
    $this->query = url($this->url, array('query' => array(
      'pid' => $this->pid,
      'noredirect' => 'true',
      'format' => 'unixref',
      'id' => 'doi:' . $this->doi
    )));
--------------------
HTML INJECTION!!!
Line: 71
CHANGE THIS:
      drupal_set_message(t('Failed to retrieve data for doi ') . $this->doi, 'error');
TO THIS:
      drupal_set_message(t('Failed to retrieve data for doi !doi', array('!doi' => check_plain($this->doi))), 'error');
CommentFileSizeAuthor
#8 biblio-2542432-7-CrossRef-results-data-sanitization.patch1.81 KBAlan D.
#6 biblio-2542432-6-CrossRef-results-data-sanitization.patch1.32 KBAlan D.
#3 biblio-sanitize_crossref_client_fetch-2542432-3.patch1.09 KBkarenann
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

gaellafond’s picture

gaellafond CreditAttribution: gaellafond commented

I also found several cases of SQL injection in the install file. Those can't easily be exploited, but there is no excuses for a SQL injection!!!
Example:

SQL INJECTION!!!
File: biblio.install
Function: biblio_update_6026()
Line: 1799
db_query("UPDATE {blocks} SET title='" . $block->title . "' WHERE bid=" . $block->bid);
rjerome’s picture

rjerome CreditAttribution: rjerome commented

Thank you for you comments @gaellafond, it's always good to have some extra eyes reviewing the code.

If you would like to submit some patches to fix the issues you mentioned, I would be happy to commit them and attribute the work to you. I couldn't help but notice that after more than 5 years in the Drupal community, you don't have any commits to your credit, so this might be an excellent opportunity...

karenann’s picture

karenann CreditAttribution: karenann as a volunteer commented
Status: Active » Needs review
FileSize
biblio-sanitize_crossref_client_fetch-2542432-3.patch1.09 KB

I've converted this to a patch and am queueing for test and further review. I only did the 2 fixes mentioned in the original post, to the modules/crossref/biblio.crossref.client.php file. I did not review any of the other code.

discipolo’s picture

discipolo CreditAttribution: discipolo commented

just a quick note that automatic review also finds a lot of problems:
http://pareview.sh/pareview/httpsgitdrupalorgprojectbibliogit-7x-1x

discipolo’s picture

discipolo CreditAttribution: discipolo commented

as far as drupalSecure standards go here is what phpcs says

Name
biblio_handler_argument_many_to_one.inc
Location
file [biblio] - .../views/biblio_handler_argument_many_to_one.inc
Problem synopsis
phpcs: Possible SQL injection in db_query() via variable $this (at line 19)

Name
biblio.install

Location
file [biblio] - .../biblio.install

Problem synopsis

phpcs: Possible SQL injection in db_query() via variable implode (at line 1513)
phpcs: Possible SQL injection in db_query() via variable implode (at line 1517)
phpcs: Possible SQL injection in db_query() via variable implode (at line 1521)
phpcs: Possible SQL injection in db_query() via variable implode (at line 1524)
phpcs: Possible SQL injection in db_query() via variable implode (at line 1540)
phpcs: Possible SQL injection in db_query() via variable $build (at line 1786)
phpcs: Possible SQL injection in db_query() via variable implode (at line 1961)

Alan D.’s picture

Alan D. CreditAttribution: Alan D. commented
FileSize
biblio-2542432-6-CrossRef-results-data-sanitization.patch1.32 KB

!doi = check_plain() was a bit redundant, re-rolled.

@ and % both use check_plain(), % also wraps it in EM tags

Also missed that the CrossRef error text was not sanitized.

Personally, use % @ for all message variables, even if they are trust worthy, it is simpler to check / test for these issues.

Safe data in these two too, but I would also do:

-      drupal_set_message(t('HTTP error: !error when trying to contact crossref.org for XML input', array('!error' => $result->code)),'error');
+      drupal_set_message(t('HTTP error: %error when trying to contact crossref.org for XML input', array('%error' => $result->code)),'error');

-      drupal_set_message(sprintf("XML error: %s at line %d",
-      xml_error_string(xml_get_error_code($this->parser)),
-      xml_get_current_line_number($this->parser)),'error');
+      drupal_set_message('XML error: %error at line @line', array(
+        '%error' => xml_error_string(xml_get_error_code($this->parser)),
+        '@line' => xml_get_current_line_number($this->parser),
+      ), 'error');

Note that these are not overly critical (excluding discipolo's ones) unless crossRef itself get's hacked. i think we need a critical security meta issue for this module while it is in RC....

Alan D.’s picture

Alan D. CreditAttribution: Alan D. commented
Title: Sanitize your code!! » CrossRef data should be sanitized

I think this is ok, no followup issue created (feel free to is some one does consider this a risk)

FILE: ...reviewsh/pareview_temp/views/biblio_handler_argument_many_to_one.inc
--------------------------------------------------------------------------
FOUND 0 ERRORS AND 1 WARNING AFFECTING 1 LINE
--------------------------------------------------------------------------
13 | WARNING | Possible SQL injection in db_query() via variable $this

False hits...

1513 | WARNING | Possible SQL injection in db_query() via variable
| | implode
1517 | WARNING | Possible SQL injection in db_query() via variable
| | implode
1521 | WARNING | Possible SQL injection in db_query() via variable
| | implode
1524 | WARNING | Possible SQL injection in db_query() via variable
| | implode
1536 | WARNING | Possible SQL injection in db_query() via variable
| | implode

  # all internally defined
  $schema = biblio_schema();
  $fieldnames = array_keys($schema['biblio_fields']['fields']);
  $field_type_fieldnames = array_keys($schema['biblio_field_type']['fields']);
  $field_type_data_fieldnames = array_keys($schema['biblio_field_type_data']['fields']);
  $xml_file = drupal_get_path('module', 'biblio') . '/field_data.xml';
  $xml = simplexml_load_file($xml_file);
  foreach ($xml->field as $field) {}

    db_query("INSERT INTO {biblio_field_type} (" . implode(", ", $field_type_fieldnames) . ")
                  VALUES (%d, %d, %d, %d, %d, %d, %d, %d, %d)", $link_data);
      db_query("INSERT INTO {biblio_field_type} (" . implode(", ", $field_type_fieldnames) . ")
                      VALUES('" . implode("', '", $values) . "')");
    $ftd = array($field['fid'], $field->default_name, $field->hint);
    db_query("INSERT INTO {biblio_field_type_data} (" . implode(", ", $field_type_data_fieldnames) . ")
                    VALUES('" . implode("', '", $ftd) . "')");
    $field_data = array($field['fid'], $field->field_name, $field->type, $field->width, $field->maxlength);
    db_query("INSERT INTO {biblio_fields} (" . implode(", ", $fieldnames) . ")
                    VALUES('" . implode("', '", $field_data) . "')");

          db_query("INSERT INTO {biblio_field_type_data} (" . implode(", ", $field_type_data_fieldnames) . ")
                        VALUES (%d, '%s', '%s')", $ftd);

Think this is a false hit too, _id_by_name() appears to use internal data only.

1744 | WARNING | Possible SQL injection in db_query() via variable
| | $build

Actual security issue if an untrusted user was allowed to set the block title...

1811 | WARNING | Possible SQL injection in db_query() via variable
| | $block

I created this patch. #2856487: Drupal 7 biblio_update_6026() is broken, but non-critical as the DB table blocks doesn't exist and can never be reached from a D7 site!

Another false hit, self defined data again in biblio_update_6031().

1877 | WARNING | Possible SQL injection in db_query() via variable
| | implode
Alan D.’s picture

Alan D. CreditAttribution: Alan D. commented
Related issues: +#1556516: HTTP error: 500 when trying to contact crossref.org for XML input
FileSize
biblio-2542432-7-CrossRef-results-data-sanitization.patch1.81 KB

This one adds the error message, closing off #1556516: HTTP error: 500 when trying to contact crossref.org for XML input by providing as much info as possible about a failed request. :)

Liam Morland’s picture

Liam Morland
Primary language English
Location Ontario, CA 🇨🇦
CreditAttribution: Liam Morland at University of Waterloo commented
Parent issue: » #2856491: Biblio Security Vulnerabilities

  • Liam Morland committed 9378c98 on 7.x-1.x authored by Alan D. 
    Issue #2542432 by Alan D., karenann, discipolo, Liam Morland: Sanitize...
  • Liam Morland committed cb62798 on 7.x-1.x authored by Alan D.
    Issue #2542432 by Alan D., karenann, discipolo, Liam Morland: Use url()...
Liam Morland’s picture

Liam Morland
Primary language English
Location Ontario, CA 🇨🇦
CreditAttribution: Liam Morland at University of Waterloo commented
Status: Needs review » Fixed

Thanks!

Liam Morland’s picture

Liam Morland
Primary language English
Location Ontario, CA 🇨🇦
CreditAttribution: Liam Morland at University of Waterloo commented
Version: 7.x-1.0-rc7 » 7.x-1.x-dev

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.