Rafael Dohms Web Engineer

11Aug/110

Filtering objects using annotations

Filtering with Annotations

PHP does not have native Annotations support, however many projects have been using doc blocks to add value and semantics to code, like PHPUnit, Doctrine and Symfony. The Doctrine did a really good job in making available a Annotation parser kit, which allows you to bring the power of annotations into you own project. This opens up a few possibilities.

Input Validation and Filtering

Rule #1 of the developer is “Filter input, escape output”. To me treating input has two distinct steps which are very important: Filtering and Validation. Symfony 2 has come out with a very cool Validation library which makes validation possible using annotations. It relies on a set of constraints which can be attached to properties of your object, allowing you to simply pass your objects to a validation service and it will do the rest for you. Like this:

<?php
// src/Acme/BlogBundle/Entity/Author.php
use Symfony\Component\Validator\Constraints as Assert;

class Author
{
    /**
     * @Assert\NotBlank()
     */
    public $name;
}
?>

<?php
$author = new Author();

$validator = $this->get('validator');
$errorList = $validator->validate($author);
?>

This is a very nice and clean way of handling validation, it allows all rules to be centered on the entities, making maintenance easy. A nice complement is that constraints can be added to the class so they use more then one variable, as well as allowing you to create your own contraints.

However the library lacks one thing, which Zend_Filter_Input does very well, Filtering. Most data needs to be filtered before going in for validation, and even of Symfony2 offers a Data Transformer, that is not quite what is needed here, so I came out with the only other solution, build one myself.

DMS\Filter

I wanted a library with all the power of the filters out there and the advantage of using annotations to provide its interface. So i set about studying the annotations implementation in doctrine and the Symfony2 Validator and came up with my own Filter library. It was designed to be simple and to be used alongside doctrine and symfony validator, so it depends on Doctrine Common.

Its composed of a filter service which is capable of reading “filter rules” from object properties and iterate over them, even private and protected ones, filtering the values. It works based on the object instance which is not cloned, so the object is altered and does not need to be returned nd re-assigned.

To add rules to you properties, just declare the namespace use and go for it, like this:

<?php

namespace App\Entity;

//Import Annotations
use DMS\Filter\Rules as Filter;

class User
{

    /**
    * @Filter\StripTags()
    * @Filter\Trim()
    * @Filter\StripNewlines()
    *
    * @var string
    */
    public $name;

    /**
    * @Filter\StripTags()
    * @Filter\Trim()
    * @Filter\StripNewlines()
    *
    * @var string
    */
    public $email;

}
?>

To filter your instance, just do it like this:

<?php
    //Get Doctrine Reader
    $reader = new Annotations\AnnotationReader();
    $reader->setEnableParsePhpImports(true);

    //Load AnnotationLoader
    $loader = new Mapping\Loader\AnnotationLoader($reader);
    $this->loader = $loader;

    //Get a MetadataFactory
    $metadataFactory = new Mapping\ClassMetadataFactory($loader);

    //Get a Filter
    $filter = new DMS\Filter\Filter($metadataFactory);

    //Get your Entity
    $user = new App\Entity\User();
    $user->name = "My <b>name</b>";
    $user->email = " email@mail.com";

    //Filter you entity
    $filter->filter($user);

    echo $user->name; //"My name"
    echo $user->email; //"email@mail.com"
?>

You can also recycle an AnnotationReader already in use by Symfony Validator for example. The AnnotationReader is currently changing in Doctrine Common, but DMS\Filter tries to auto-configure its namespace, I will be keeping an eye on this in the future.

The project is available in two forms, inside the DMS library on github, or as a standalone component, also on github (sub tree split FTW!). It has a limited number of filters, but you can develop your own filters to use or just open up an issue and i'll create them.

Hope the library is useful and you enjoy it.

Tagged as: , , , No Comments
29Sep/092

PHP Security: Are you paying attention?

Security is a recurring topic when the talk is about Technology, or any other area for that matter. To take security for granted when you are developing an application, as simple as it may be, is a huge mistake which can take a turn for the worse. I have ran into lots of excuses for ignoring security in the past, one of them is the recurring "This is just a simple application, it has no sensitive data",  this may be a valid point for the person repeating it like a mantra, especially because this person is generally suffering of great pressures , short timeframes and a lack of proper management ready to deal with web development. Cal Evans in his Open Teams session gives a perfect example of this when he tells us about a project with an impossible due date. Upon questioning the due date to the marketing department their reply was straight forward: "Because that's when the brochures are done". This is an example of the lack of perception around web development and all the issues we need to take into consideration when developing applications.

Whatever the reason is for neglecting security the consequences can escalate much higher then the "non-sensitive data" of the application. I can cite a recent example that happened to one of the biggest Brazilian mobile companies. A simple issue was found in a file called popup.php, the objective of the file fits into the excuse mentioned above, it just had to append the company logo and load a given file's content into a popup window.

Doing a little play my part simulation we can easily imagine that the need for this page probably started in the <insert non-tech department> and got to the tech department with urgent priority, usually on a Friday EOD, when the manager is leaving and the developers are just waiting for the boss to leave in order to get to the closest bar for a happy hour. In the rush of things neglecting security and any other management process the order is "just do it". This generally leads to the easiest way out, so that whatever purpose the fix fits will be live before the weekend. No problem you say, "leave it like that during the weekend and redo it on Monday following the proper protocols", that's iffy behavior none the less, but in a real world example this feature will only be revisited on one occasion: the day it does an EPIC FAIL.

Doing a post-mortem analysis on the flaw i described, we can easily find out what happened. The final URL used by the popup.php file had a "url" GET var attached to it, the value usually pointed to another html or PHP file. This was the first indication that this was a sleeping time bomb, so the first thing someone tried was to point that to a file, any file that would be "unexpected", like so:

Exploit no URL

The result of this request exploded directly into our face 2 security issues overlooked by the developer. Can you guess which ones?

Vivo - Erro

Ok, so the first mistake here was leaving display_errors on, lack of doing so now shows us the second mistake which can be one or two depending on how you think of it. The obvious on is neglecting the security karma everyone needs to know whick is: "Filter input, escape output". Obviously since he actually executed a include on the file given we can say that he did not check in any way the value provided in the "url" parameter, in the least he should have checked if it was still in the site's file tree.

To make this exploit something dangerous you just need to start passing it usual sensitive linux files, like /etc/passwd or try to load the apache httpd.conf file, which BTW actually worked

passwd

Analysing these files showed that the issue was really bad, the actual site really had few valuable information, but it did show that the server had much more on it then just this simple site, hence the EPIC FAIL and domino effect of compromising all systems on that machine. Another factor makes this become epic, Twitter. This flaw was only fixed 2 days after the first report and in the meantime it ra circles around twitter, giving everyone the chance to look at conf files and whatever else they could think of looking for. Only the victim can tell if any sensitive data was compromised, but giving flaw and the creativity of hackers nowadays, something was compromised for sure.

So security is not a simple "injection" or "pill" to give your application after its live, security needs to come from the ground up, leave the pills for the occasional bug which will always come up, after all its software. You development cycle needs to include security topics, be them, tests, validations or anything you can think of, OWASP is a great source for points to think about. No feature should roll out the door if it did not take this into consideration, one idea is to incorporate security into your Definition of Done, so a task can only be complete after security steps are taken to validate it, peer review and tests can also contribute to this, two heads are better then one. Managers should be as worried about this as the programmers. An example of a Definition of Done is:

  • Developed
  • Tested (Unit Tests written and executed)
  • Documentation (proper doc file or PHPDoc blocks for code segments)
  • Peer review
  • Security check (for known flaws, like input filtering)
  • Load Testing

Every task needs to include this, tough it may cost valuable project development time, it will save you even more valuable lawsuits if your site get hacked.This gives the developer time to plan each feature and reduces the risk of exploits going out the door. This is part of becoming a professional developer and leaving behind the code-hacker nature which just codes and does not consider the environment around the application. Needless to say this has to be embraced by management because its usually up to them to fight the battles for longer timeframes and proper development cycles, not just succumb to external pressures and risk distributing dangerous code.

Tagged as: , , , 2 Comments
26Jan/090

Review: Essential PHP Security

phpseccover

Even having being published in 2005, the book "Essential PHP Security" addresses a very up-to-date topic even today. Written by Chris Shiflett the book goes through various security aspects associated with a PHP application, for that reason even to today its content can be considered updated and applicable to various day to day situations faced by developers.

The book has a very easy going and exemplified approach to expose the various aspects presented. Aspects which are very clearly exposed and separated in chapters, going all the way from forms to includes and security in shared hosting environments. Each topic is analyzed in detail and internally divided into exploits and attack strategies for that security flaw, that way the book also becomes a easy to access reference book where its possible to go directly to the chapter that addresses the specific aspect you are coding right now, allowing you to know which flaws to look for. Further the introduction chapter presents Principles and Practice os Security which can be applied in any application and any language, like for example "Defense in Depth", allowing you to glimpse the fact that security is much bigger than analyzing specific points of you application.

Even having a few years on it, the book addresses topic like XSS that play a important role in the AJAX driven web we observe nowadays. Also old friends like Session Hijacking and SQL Injection are analyzed from various points of view, aligned to the various segments of an application. This structure makes for a very light and enjoyable reading experience which can easily fit into these moments of relaxation or in the waiting room of the occasional visit to the doctor's office (it worked for me anyway).

This book deserves to be part of any developers history (or shelf), at least to serve as a reminder and inspiration for reflection, even in a world where more and more Frameworks internalize all aspects of security, but as I always say, we developers should always know what goes on behind the curtains.

 

 

Essential PHP Security A Guide to Building Secure Web Applications

By Chris Shiflett
October 2005
Pages: 124
ISBN 10: 0-596-00656-X | ISBN 13: 9780596006563

Tagged as: , , , No Comments
   

Sobre/About

Rafael Machado Dohms is a web developer and PHP Evangelist, find out more here.

ZCE Logo

Feeds

rdohms on Twitter

Categories

Calendar

February 2012
S M T W T F S
« Jan    
 1234
567891011
12131415161718
19202122232425
26272829  

Tags

ajax bbuinfo blogblogs blogosfera book Career community conference desenvolvimento dicas DMS dmsAutoComplete DOM eventos facebook flex gd google how to Javascript meme MySQL palestras Pessoal-Off topic PHP phpconf phpconfbr PHP Conference Brasil phpdf phpsp Plugins programação review RSS Security security swat Technology and Web Tecnologia/Web tek09 tutorial Web 2.0 Wordpress XML zendcon

Archives

Creative Commons License