This modules provides integration with the DataDome Bot Mitigation Service (https://datadome.co/).
It currently supports automated creation of the DataDome JavaScript tag https://docs.datadome.co/docs/javascript-tag and logging of access events by bots and other undesirable clients.

No other modules provide this functionality.

Roadmap

  • Integrate with core Ban IP to ban IP when DataDome disallows request (DATA_DOME_STATUS = 403)
  • Assign role based on DataDome classification (Human, Good bot, Commercial bot, Bad Bot)

Project link

https://www.drupal.org/project/datadome

Git instructions

git clone --branch 7.x-1.x https://git.drupal.org/project/datadome.git

Comments

dietric@gmail.com created an issue. See original summary.

apaderno’s picture

Issue summary: View changes
dietric@gmail.com’s picture

mille grazie @kiamlaluno

apaderno’s picture

Title: Datadome Integration [D7] » [D7] Datadome Integration
Priority: Normal » Major
prethiee’s picture

Hi dietric,

Please fix the pareview errors reported.

https://pareview.sh/pareview/https-git.drupal.org-project-datadome-7.x-1.x

apaderno’s picture

Status: Needs review » Needs work
apaderno’s picture

Priority: Major » Normal

(I forgot to change priority.)

dietric@gmail.com’s picture

Status: Needs work » Needs review

Please review changes to resolve pareview errors.
https://protect-eu.mimecast.com/s/PjjICoVggIPAPDMizBvQ_?domain=pareview.sh

apaderno’s picture

Assigned: Unassigned » apaderno

The only error PAReview reports is about the datadome.info file ending with two newline characters instead of one. I will manually review the code today. (I am not sure when, exactly.)

apaderno’s picture

Status: Needs review » Needs work
Issue tags: +PAreview: security
    // The hit is coming from a bot.
    $_datadome_bot_info['name'] = $bot_name = $_SERVER['HTTP_X_DATADOME_BOTNAME'];
    $_datadome_bot_info['family'] = $bot_family = $_SERVER['HTTP_X_DATADOME_BOTFAMILY'];
    $_datadome_is_bot = 'bot';
    $request_uri = $base_root . request_uri();
    watchdog('DATADOME', sprintf(' A bot name `%s` from `%s` bot family accessed %s', $bot_name, $bot_family, $request_uri));

Values obtained from the user or from HTTP header should be sanitized when used with watchdog(). Keep in mind that the list of the messages passed to watchdog() are shown inside HTML markup, and that is the reason for sanitizing those values.

See how Drupal core uses that function in the correct way.

      if ($feed->url != $feed_url) {
        watchdog('aggregator', 'Updated URL for feed %title to %url.', array(
          '%title' => $feed->title,
          '%url' => $feed->url,
        ));
      }
      watchdog('aggregator', 'There is new syndicated content from %site.', array(
        '%site' => $feed->title,
      ));
      drupal_set_message(t('There is new syndicated content from %site.', array(
        '%site' => $feed->title,
      )));
  $datadome_js_key = variable_get('datadome_js_key', "");
  if (!$datadome_js_key) {
    drupal_set_message(t('Datadome Js key is missing'), 'error');
    return;
  }

Instead of showing the error to every user visiting the site, it would be better to use watchdog() for logging the error, or check the permission the currently logged in user has.
The code is missing the setting form page which should be used to add the required key value. The setting page should be accessible only from users that have the right permission, and that permission should be required for the users to see the error message (if it isn't logged with watchdog()).

      $filepath = dirname(__FILE__) . '/README.md';
      if (file_exists($filepath)) {
        $readme = file_get_contents($filepath);
      }
      else {
        $filepath = dirname(__FILE__) . '/README.txt';
        if (file_exists($filepath)) {
          $readme = file_get_contents($filepath);
        }
      }
      if (!isset($readme)) {
        return NULL;
      }
      if (module_exists('markdown')) {
        $filters = module_invoke('markdown', 'filter_info');
        $info = $filters['filter_markdown'];
        if (function_exists($info['process callback'])) {
          $output = $info['process callback']($readme, NULL);
        }
        else {
          $output = '<pre>' . $readme . '</pre>';
        }
      }
      else {
        $output = '<pre>' . $readme . '</pre>';
      }

Plain text rendered inside HTML markup (the Drupal help page) needs to be passed to check_plain(), if the Markdown filter doesn't exist.

Remove the wrong branches: 7.x-1.beta1 is neither a branch name nor a tag name. It would be a tag name if it were 7.x-1.0-beta1. @branch is neither a branch name nor a tag name.

Also, just commit the code in the 7.x-1.x branch for all the application duration. There isn't any need to create new branches, if not for BC issues (which should not exist, if the project is not used from any site).

dietric@gmail.com’s picture

Thank you for the feedback, we have made the suggested changes and removed the 7.x-1.beta1 branch.

apaderno’s picture

Status: Needs work » Needs review

Remember to change status when the code has been fixed.

apaderno’s picture

Why are there commits done by Sorna Kumar?

apaderno’s picture

Status: Needs review » Postponed (maintainer needs more info)
dietric@gmail.com’s picture

Sornakumar is a developer on my team.

apaderno’s picture

These applications are done to give users a role, not to opt projects into security coverage. As such, we are valuating the capacity of the user who applies to write secure code, following the Drupal coding standards, and correctly using the Drupal APIs.
If there other users who write the code, we cannot understand how much the user who applied understands.

apaderno’s picture

Status: Postponed (maintainer needs more info) » Needs work

Since most of the commits are done from the other user, I could accept this application from that user. Alternatively, you need to use a different project for applying.

dietric@gmail.com’s picture

I am directly supervising the user making the commits and reviewing the code.

apaderno’s picture

Status: Needs work » Closed (won't fix)

If you are still interested on being able to opt into security coverage for projects you create, please open a new application using a project for which the only commits (for the time required to set the application's status to Fixed) are from you.
Please don't open a new application if you aren't sure to have time to dedicate to the application, or it will be closed again as won't fix.

I am closing this application due to lack of activity.