Skip to content

Latest commit

 

History

History
106 lines (91 loc) · 10.4 KB

mitigations.md

File metadata and controls

106 lines (91 loc) · 10.4 KB

Mitigation Strategies Analysis for yiisoft/yii2

Mitigation Strategy: Input Validation and Sanitization - Leverage Yii2's Built-in Validation Rules

  • Description:
    1. Define Validation Rules in Models: For each model handling user input, define comprehensive validation rules within the rules() method. Utilize Yii2's built-in validators (e.g., required, string, integer, email, url, date, boolean, unique, exist, custom validators). Specify data types, lengths, formats, allowed values, and constraints for each input attribute.
    2. Apply Validation in Controllers/Actions: In controllers/actions processing user input, call $model->validate() before further logic. Handle validation errors appropriately using $model->getErrors().
  • Threats Mitigated:
    • SQL Injection (Medium): Indirectly reduces risk by ensuring data types and formats, preventing malicious SQL code injection.
    • Cross-Site Scripting (XSS) (Low): Indirectly mitigates XSS by ensuring input data conforms to expected formats.
    • Data Integrity Issues (High): Prevents invalid data storage, ensuring data consistency.
    • Application Logic Errors (Medium): Reduces errors from processing invalid input.
  • Impact:
    • SQL Injection: Medium
    • Cross-Site Scripting: Low
    • Data Integrity Issues: High
    • Application Logic Errors: Medium
  • Currently Implemented: Partially implemented in app\models\ContactForm.php and app\models\User.php. Basic validation rules are defined in model layer.
  • Missing Implementation: Missing comprehensive validation rules in API endpoints (app\controllers\ApiController.php) and incomplete rules for complex models like app\models\Product.php and app\models\Order.php. Missing validation in custom form requests.

Mitigation Strategy: Output Encoding and Sanitization with HtmlPurifier

  • Description:
    1. Install HtmlPurifier: Install yiisoft/yii2-htmlpurifier extension via Composer: composer require yiisoft/yii2-htmlpurifier.
    2. Sanitize Output in Views: In view files, use yii\helpers\HtmlPurifier::process($output) to sanitize output containing user-generated content before displaying it in HTML.
    3. Set defaultHtmlEncode in View Component: Configure the view component in config/web.php or config/main.php to enable defaultHtmlEncode: true for automatic HTML-encoding by default.
  • Threats Mitigated:
    • Cross-Site Scripting (XSS) (High): Effectively prevents XSS attacks by sanitizing HTML output.
  • Impact:
    • Cross-Site Scripting: High
  • Currently Implemented: HtmlPurifier is used in app\views\site\contact.php. defaultHtmlEncode is set to true in config/web.php. Implemented in view layer and configuration.
  • Missing Implementation: HtmlPurifier is not consistently applied across all views, especially in user profile pages (app\views\user\profile.php) and admin panels. Missing sanitization in API responses returning HTML content.

Mitigation Strategy: Parameterized Queries and Active Record/Query Builder

  • Description:
    1. Use Active Record for Database Interactions: Primarily utilize Yii2's Active Record for database operations, which inherently use parameterized queries.
    2. Use Query Builder for Complex Queries: Leverage Yii2's Query Builder for complex queries, also supporting parameter binding.
    3. Parameter Binding with Raw SQL (If Necessary): If raw SQL is needed, use parameter binding with placeholders and bindValues()/bindValue() methods of the command object.
  • Threats Mitigated:
    • SQL Injection (High): Effectively prevents SQL injection attacks by treating user input as data, not SQL code.
  • Impact:
    • SQL Injection: High
  • Currently Implemented: Active Record and Query Builder are used throughout the application in models and controllers. Parameterized queries are implicitly used. Implemented in model and controller layers.
  • Missing Implementation: Refactor raw SQL queries in legacy code within app\components\DataProcessor.php to use parameterized queries or Query Builder.

Mitigation Strategy: CSRF Protection

  • Description:
    1. Enable CSRF Validation in Configuration: Ensure CSRF protection is enabled in config/web.php or config/main.php by setting 'enableCsrfValidation' => true in the request component.
    2. Use Html::beginForm() or ActiveForm::begin() for Forms: Use Yii2's Html::beginForm() or ActiveForm::begin() to generate forms, automatically including CSRF tokens.
    3. Handle AJAX Requests (If Necessary): For AJAX requests modifying data, include the CSRF token from Yii::$app->request->csrfToken in headers or POST data.
  • Threats Mitigated:
    • Cross-Site Request Forgery (CSRF) (High): Prevents CSRF attacks by validating requests originate from legitimate users.
  • Impact:
    • Cross-Site Request Forgery: High
  • Currently Implemented: CSRF validation is enabled in config/web.php. ActiveForm::begin() is used for most forms. Implemented in configuration and view layer.
  • Missing Implementation: CSRF token is not included in AJAX requests from custom JavaScript in the admin panel. AJAX calls need to be updated to include CSRF tokens.

Mitigation Strategy: Robust Authentication and Authorization (RBAC)

  • Description:
    1. Implement Authentication using Yii2's User Component: Utilize Yii2's User component for authentication. Configure it in config/web.php or config/main.php, specifying the identity class. Implement authentication logic in the identity class and login/logout actions using Yii::$app->user->login() and Yii::$app->user->logout(). Use Yii::$app->security for password hashing.
    2. Implement Role-Based Access Control (RBAC) using Yii2's AuthManager: Set up Yii2's AuthManager for RBAC in config/web.php or config/main.php. Define roles, permissions, and rules. Assign roles to users. Use Yii::$app->user->can() for authorization checks.
    3. Session Management Security: Configure session settings in config/web.php or config/main.php within the session component. Set secure cookie parameters and consider session timeouts. Regenerate session IDs after login using Yii::$app->session->regenerateID(true).
  • Threats Mitigated:
    • Unauthorized Access (High): RBAC and authentication prevent unauthorized access to resources.
    • Account Takeover (High): Secure password storage and session management reduce account takeover risk.
    • Privilege Escalation (Medium): RBAC prevents privilege escalation through granular access control.
  • Impact:
    • Unauthorized Access: High
    • Account Takeover: High
    • Privilege Escalation: Medium
  • Currently Implemented: Basic authentication using Yii2's User component and password hashing is implemented. Session cookies are set to httpOnly: true. Implemented in model, controller, configuration, and view layers.
  • Missing Implementation: Proper RBAC system using Yii2's AuthManager is missing. Access control is currently based on simple role checks. Session regeneration after login is missing.

Mitigation Strategy: Error Handling and Debugging in Production

  • Description:
    1. Disable Debug Mode in Production: Disable debug mode (YII_DEBUG) in production by setting YII_DEBUG to false in server environment variables or application entry point.
    2. Configure Error Handling in config/web.php or config/main.php: Customize the errorHandler component. Set errorAction and configure error logging using the log component.
    3. Display Generic Error Pages in Production: Render generic, user-friendly error pages in the error action (site/error) instead of detailed error messages.
  • Threats Mitigated:
    • Information Disclosure (Medium): Prevents attackers from gaining sensitive information through detailed error messages exposed in debug mode.
  • Impact:
    • Information Disclosure: Medium
  • Currently Implemented: Debug mode is disabled in production. errorHandler is configured to use 'site/error' action. Generic error page is displayed. Implemented in configuration and server environment.
  • Missing Implementation: Integration with a dedicated error tracking system (e.g., Sentry, Rollbar) is missing for more effective error monitoring.

Mitigation Strategy: Gii and Debug Toolbar Security

  • Description:
    1. Disable Gii in Production: Disable Gii module in production by removing or commenting out its configuration in config/web.php or config/main.php.
    2. Disable Debug Toolbar in Production: Disable the debug toolbar module in production by removing or commenting out its configuration in config/web.php or config/main.php.
    3. Restrict Access to Gii in Development/Staging (Optional): Restrict access to Gii in development/staging using IP address restrictions or authentication in the Gii module configuration.
  • Threats Mitigated:
    • Information Disclosure (Medium): Prevents exposure of sensitive information through Gii and debug toolbar in production.
    • Remote Code Execution (Low): Eliminates potential RCE risk associated with Gii.
    • Unauthorized Code Generation/Modification (Medium): Prevents misuse of Gii for code manipulation in production.
  • Impact:
    • Information Disclosure: Medium
    • Remote Code Execution: Low
    • Unauthorized Code Generation/Modification: Medium
  • Currently Implemented: Gii and debug toolbar modules are commented out in config/web.php for production. Disabled in production configuration.
  • Missing Implementation: Access to Gii is not restricted in the development environment. IP address restrictions or authentication should be implemented for Gii in development and staging.