Skip to content

Latest commit

 

History

History
233 lines (172 loc) · 18.9 KB

mitigations.md

File metadata and controls

233 lines (172 loc) · 18.9 KB

Mitigation Strategies Analysis for yiisoft/yii2

Mitigation Strategy: Model Validation Rules (Yii2)

  • Description:

    1. Utilize Yii2 Model Validation: Within your Yii2 models, define validation rules in the rules() method for all attributes that receive user input.
    2. Employ Built-in Validators: Leverage Yii2's extensive set of built-in validators (e.g., required, string, integer, email, url, date, boolean, in, unique) to enforce data integrity and format.
    3. Create Custom Validators: For complex validation logic specific to your application, define custom validation functions or methods within your models and reference them in the rules().
    4. Ensure Validation Execution: Yii2's Active Record automatically triggers validation before saving. For manual input handling, explicitly call $model->validate() before processing user data.
    5. Handle Validation Errors using Yii2: Use $model->getErrors() to retrieve validation errors and display them to the user using Yii2's view mechanisms or API response formats.

    • Threats Mitigated:

      • SQL Injection (High Severity) - By ensuring data types and formats are validated before database queries.
      • Cross-Site Scripting (XSS) (Medium Severity) - By validating input and preventing injection of malicious scripts through input fields.
      • Data Integrity Issues (Medium Severity) - By enforcing data constraints and formats defined in models.
      • Mass Assignment Vulnerabilities (Medium Severity) - When combined with safeAttributes(), prevents unintended attribute modification.

    • Impact:

      • SQL Injection: High Reduction
      • Cross-Site Scripting: Medium Reduction
      • Data Integrity Issues: High Reduction
      • Mass Assignment Vulnerabilities: Medium Reduction

    • Currently Implemented: Partially implemented. Model validation is used for basic input fields in many forms, leveraging Yii2's built-in validators.

    • Missing Implementation:

      • Custom validators are needed for more complex business logic and data constraints in several models.
      • Validation rules need to be consistently applied across all models and input points, including API endpoints.
      • Review and enhance existing validation rules to cover a wider range of potential threats.

Mitigation Strategy: Safe Attributes in Active Record (Yii2)

  • Description:

    1. Define safeAttributes() in Yii2 Models: In each Yii2 Active Record model, implement the safeAttributes() method.
    2. List Allowed Attributes: Within safeAttributes(), return an array containing only the attributes that are explicitly permitted to be mass-assigned via user input or external data.
    3. Restrict Mass Assignment: By defining safeAttributes(), Yii2 will prevent mass assignment of any attributes not listed, protecting against unintended modifications.
    4. Regularly Review safeAttributes(): As models evolve, regularly review and update the safeAttributes() method to ensure it accurately reflects which attributes should be mass-assignable.

    • Threats Mitigated:

      • Mass Assignment Vulnerabilities (High Severity) - Prevents attackers from manipulating model attributes they should not be able to modify through malicious input.

    • Impact:

      • Mass Assignment Vulnerabilities: High Reduction

    • Currently Implemented: Partially implemented. safeAttributes() is defined in some key models, but not consistently across all Active Record models.

    • Missing Implementation:

      • Implement safeAttributes() in all Active Record models, especially those handling user input or data from external sources.
      • Establish a process to review and update safeAttributes() whenever model attributes are changed or added.

Mitigation Strategy: HTMLPurifier for Rich Text Input (Yii2 Extension)

  • Description:

    1. Install yii2-htmlpurifier: Install the official Yii2 HTMLPurifier extension using Composer: composer require yiisoft/yii2-htmlpurifier.
    2. Configure HtmlPurifier Component (Yii2): Configure the htmlPurifier component in your Yii2 application configuration (e.g., config/web.php). Customize settings like allowed tags, attributes, and CSS properties as needed.
    3. Sanitize Output with HtmlPurifier::process() (Yii2): In your Yii2 views, use HtmlPurifier::process($richTextInput) to sanitize rich text input before displaying it. This will remove or encode potentially harmful HTML.
    4. Consider Input Sanitization (Yii2): For enhanced security, sanitize rich text input using HtmlPurifier::process() before saving it to the database, in your Yii2 controllers or models.

    • Threats Mitigated:

      • Cross-Site Scripting (XSS) (High Severity) - Effectively prevents XSS attacks from user-provided rich text content by sanitizing HTML.

    • Impact:

      • Cross-Site Scripting: High Reduction (specifically for rich text input)

    • Currently Implemented: Not implemented. Rich text input is displayed without sanitization in areas like blog comments and user profiles.

    • Missing Implementation:

      • Install and configure the yii2-htmlpurifier extension.
      • Implement HtmlPurifier::process() in Yii2 views where rich text is displayed.
      • Consider input-side sanitization within Yii2 controllers or models before database storage.

Mitigation Strategy: Context-Aware Output Encoding with Yii2 Helpers

  • Description:

    1. Identify Output Points in Yii2 Views: Locate all instances in your Yii2 views, layouts, and API responses where user-provided data is outputted.
    2. Use Html::encode() for Plain Text (Yii2): For displaying plain text user input in HTML, use \yii\helpers\Html::encode($userInput). This escapes HTML special characters, preventing XSS.
    3. Use Html::tag() and Encoding for Attributes (Yii2): When outputting user input within HTML attributes, use \yii\helpers\Html::tag() or other Yii2 HTML helper methods that handle attribute encoding.
    4. Use Url::encode() for URLs (Yii2): When constructing URLs with user input, use \yii\helpers\Url::encode($userInput) or urlencode() to properly encode URL parameters and prevent URL injection.
    5. Use json_encode() for JavaScript Output (Yii2/PHP): If user data must be output in JavaScript, use json_encode($userInput) to safely encode data for JavaScript consumption.

    • Threats Mitigated:

      • Cross-Site Scripting (XSS) (High Severity) - Prevents XSS by ensuring user data is encoded based on the output context (HTML, JavaScript, URL) using Yii2 helpers.

    • Impact:

      • Cross-Site Scripting: High Reduction

    • Currently Implemented: Partially implemented. Html::encode() is used in many views, but not consistently for all user-provided data output.

    • Missing Implementation:

      • Systematically review all Yii2 views and layouts to ensure Html::encode() or appropriate encoding is used for all user-provided data.
      • Pay specific attention to encoding user input within HTML attributes and JavaScript code in Yii2 views.
      • Train developers on context-aware output encoding using Yii2 helpers.

Mitigation Strategy: Role-Based Access Control (RBAC) with Yii2 AuthManager

  • Description:

    1. Configure Yii2 AuthManager: Configure the authManager component in your Yii2 application configuration (e.g., config/web.php). Choose a database-based storage for RBAC data.
    2. Define Roles and Permissions (Yii2 AuthManager): Use Yii2's AuthManager API (or database migrations/seeders) to define roles (e.g., 'admin', 'editor', 'author') and permissions (e.g., 'createPost', 'updatePost', 'deletePost').
    3. Assign Permissions to Roles (Yii2 AuthManager): Associate permissions with roles using Yii2's AuthManager, defining what actions each role is allowed to perform.
    4. Assign Roles to Users (Yii2 AuthManager): Assign roles to users based on their responsibilities using Yii2's AuthManager.
    5. Implement Access Checks with Yii::$app->user->can() (Yii2): In your Yii2 controllers and views, use Yii::$app->user->can('permissionName') to check if the current user has the required permission to access resources or perform actions.

    • Threats Mitigated:

      • Unauthorized Access (High Severity) - Prevents users from accessing functionalities or data they are not authorized to access, using Yii2's RBAC system.
      • Privilege Escalation (Medium Severity) - Reduces the risk of users gaining elevated privileges beyond their assigned roles within the Yii2 application.

    • Impact:

      • Unauthorized Access: High Reduction
      • Privilege Escalation: Medium Reduction

    • Currently Implemented: Partially implemented. Basic user roles exist, but granular permissions and consistent RBAC enforcement using Yii2's AuthManager are lacking.

    • Missing Implementation:

      • Design a comprehensive RBAC structure with granular permissions using Yii2's AuthManager.
      • Define and assign permissions to roles using Yii2's AuthManager API.
      • Implement access checks using Yii::$app->user->can() in Yii2 controllers and views throughout the application.
      • Extend RBAC to cover API endpoints and background tasks within the Yii2 application.

Mitigation Strategy: CSRF Protection and Form Handling (Yii2)

  • Description:

    1. Verify CSRF Protection Enabled (Yii2): Ensure CSRF protection is enabled in your Yii2 application configuration (components.request.enableCsrfValidation = true). This is enabled by default in Yii2.
    2. Use ActiveForm Widget (Yii2): Utilize Yii2's ActiveForm widget for form creation. It automatically handles CSRF token generation and validation.
    3. Use Html::csrfMetaTags() for Manual Forms/AJAX (Yii2): If not using ActiveForm or for AJAX requests, include \yii\helpers\Html::csrfMetaTags() in your Yii2 layout or form to generate CSRF meta tags.
    4. Handle CSRF Token in AJAX Requests (Yii2/JavaScript): For AJAX requests modifying data, retrieve the CSRF token from the meta tag ($('meta[name="csrf-token"]').attr("content")) and include it in the request headers or data.
    5. Avoid Bypassing Yii2 CSRF Protection: Do not implement custom form handling that circumvents Yii2's built-in CSRF protection mechanisms.

    • Threats Mitigated:

      • Cross-Site Request Forgery (CSRF) (High Severity) - Prevents CSRF attacks by leveraging Yii2's built-in CSRF protection.

    • Impact:

      • Cross-Site Request Forgery: High Reduction

    • Currently Implemented: CSRF protection is enabled in Yii2 configuration. ActiveForm is used for many forms.

    • Missing Implementation:

      • Verify CSRF token handling for all AJAX requests that modify data within the Yii2 application.
      • Review custom form handling logic to ensure proper CSRF protection if ActiveForm is not used in specific Yii2 components.

Mitigation Strategy: File Upload Security (Yii2)

  • Description:

    1. Use UploadedFile and File Validators (Yii2): In Yii2 controllers, use \yii\web\UploadedFile::getInstance() to handle file uploads. In Yii2 models, use file validators (e.g., file, image) in rules() to validate file types, sizes, and extensions server-side.
    2. Whitelist File Types and Extensions (Yii2 Validators): Strictly whitelist allowed file types and extensions using Yii2's file validators.
    3. Limit File Size (Yii2 Validators): Enforce file size limits using Yii2's file validators to prevent DoS attacks.
    4. Store Files Outside Webroot (Yii2 Configuration): Configure your Yii2 application to store uploaded files in a directory outside the webroot. Use Yii2's path aliases and file system components for secure storage management.
    5. Generate Unique Filenames (Yii2 Application Logic): Implement logic within your Yii2 application to generate unique and unpredictable filenames for uploaded files.

    • Threats Mitigated:

      • Remote Code Execution (RCE) (High Severity) - Prevents malicious file uploads and execution by using Yii2's file handling and validation features.
      • Cross-Site Scripting (XSS) (Medium Severity) - Prevents XSS through malicious file uploads by validating file types and storing files securely.
      • Directory Traversal (Medium Severity) - By storing files outside webroot and using unique filenames within Yii2.
      • Denial of Service (DoS) (Medium Severity) - Mitigates DoS through file size limits enforced by Yii2 validators.

    • Impact:

      • Remote Code Execution: High Reduction
      • Cross-Site Scripting: Medium Reduction
      • Directory Traversal: Medium Reduction
      • Denial of Service: Medium Reduction

    • Currently Implemented: Basic file upload for profile pictures exists. File type and size validation are partially implemented using Yii2 validators. Files are currently stored within the webroot.

    • Missing Implementation:

      • Move file storage outside the webroot using Yii2's path aliases and configuration.
      • Implement unique and unpredictable filename generation within the Yii2 application.
      • Review and strengthen file upload validation using Yii2 validators, ensuring strict whitelisting.

Mitigation Strategy: Dependency Management and Component Security (Yii2/Composer)

  • Description:

    1. Regularly Update Yii2 and Dependencies (Composer): Establish a schedule for updating Yii2 framework, extensions, and Composer dependencies using composer update.
    2. Monitor Yii2 Security Advisories: Subscribe to Yii2 security advisories to stay informed about vulnerabilities and patches.
    3. Use composer audit (Composer): Integrate composer audit into your development workflow or CI/CD pipeline to identify known vulnerabilities in dependencies.
    4. Audit Yii2 Extensions: Carefully evaluate and audit third-party Yii2 extensions before use, checking their source and security track record.

    • Threats Mitigated:

      • Vulnerabilities in Dependencies (High Severity) - Addresses vulnerabilities in Yii2, extensions, and libraries managed by Composer.

    • Impact:

      • Vulnerabilities in Dependencies: High Reduction

    • Currently Implemented: Dependency updates are performed occasionally. composer audit is not regularly used.

    • Missing Implementation:

      • Establish a regular schedule for dependency updates using Composer.
      • Integrate composer audit into CI/CD and run it regularly.
      • Implement a process for auditing Yii2 extensions before integration.

Mitigation Strategy: Error Handling and Debugging Security (Yii2 Configuration)

  • Description:

    1. Disable Debug Mode in Production (Yii2 Configuration): Ensure YII_DEBUG is set to false in your production index.php file.
    2. Configure Custom Error Handlers (Yii2 Configuration): Configure Yii2's error handler component to use custom error views in production, avoiding detailed error messages to users.
    3. Secure Logging (Yii2 Configuration): Configure Yii2's logging component to log errors securely, storing logs outside the webroot and implementing log rotation.
    4. Generic Error Pages (Yii2 Views): Display generic, user-friendly error pages to users in production using Yii2 views.

    • Threats Mitigated:

      • Information Disclosure (Medium Severity) - Prevents attackers from gaining information through detailed error messages exposed by Yii2 in debug mode.
      • Path Disclosure (Low Severity) - Prevents path disclosure via error messages.

    • Impact:

      • Information Disclosure: Medium Reduction
      • Path Disclosure: Low Reduction

    • Currently Implemented: Debug mode is disabled in production. Default Yii2 error handling is used. Logging is configured to files.

    • Missing Implementation:

      • Implement custom error views for generic error pages in production within Yii2.
      • Secure log file storage outside webroot and implement log rotation within Yii2 logging configuration.

Mitigation Strategy: Configuration Security (Yii2)

  • Description:

    1. Secure Yii2 Configuration Files: Protect Yii2 configuration files (e.g., config/web.php, config/db.php) with appropriate file permissions.
    2. Externalize Sensitive Configuration (Yii2 Best Practices): Store sensitive configuration data (database credentials, API keys) outside of code repository and configuration files, using environment variables or secure configuration management tools as recommended by Yii2 best practices.
    3. Review Yii2 Configuration Regularly: Periodically review Yii2 application configuration for security misconfigurations.
    4. Use Environment-Specific Configurations (Yii2): Utilize Yii2's environment-specific configuration files to manage different settings for development, staging, and production, ensuring production configurations are hardened.

    • Threats Mitigated:

      • Information Disclosure (High Severity) - Prevents exposure of sensitive configuration data stored in Yii2 configuration files.
      • Configuration Tampering (Medium Severity) - Protects Yii2 configuration from unauthorized modification.

    • Impact:

      • Information Disclosure: High Reduction
      • Configuration Tampering: Medium Reduction

    • Currently Implemented: Configuration files are in the repository. File permissions are not explicitly hardened. Environment-specific configurations are used, but sensitive data is still in configuration files.

    • Missing Implementation:

      • Implement secure externalization of sensitive configuration data using environment variables or secure tools, following Yii2 best practices.
      • Harden file permissions for Yii2 configuration files.
      • Establish a process for regular security review of Yii2 application configuration.