Security - Re-organize pages

ca985d07 · Sean Madsen · af3b4f60 · af3b4f60 · ca985d07 · ca985d07
Commit ca985d07 authored 7 years ago by Sean Madsen
--- a/docs/secure/index.md
+++ b/docs/secure/index.md
-# Secure Coding
-
-## Introduction
-
-This chapter will look at how developers interact with the the permissions and access control framework that is contained within CiviCRM its self. Also looks at how you can secure CiviCRM through reporting any vulerabilities you come across. This chapter will be primarily focusing on CiviCRM Core over any specific extension situation.
--- a/docs/secure/access.md
+++ b/docs/secure/access.md
--- a/docs/standards/secure.md
+++ b/docs/standards/secure.md
-# Secure Coding Standards
+# Secure Coding

 ## Introduction

@@ -136,30 +136,4 @@ CiviCRM's strategy is as follows:
    1. SQL: validate and encode
    1. Shell: validate and encode

-## In AngularJS

-For AngularJS templates, developers should consult the AngularJS [$sanitize documentation](https://docs.angularjs.org/api/ngSanitize/service/$sanitize).
-
-## Handling Request variables
-
-Through the CiviCRM code base you will find that there are a number of times where CiviCRM takes variables passed to it through the URL e.g. `?cid=1234` or `?id=1234`. CiviCRM has put in place some inbuilt functions that help to ensure that no dangerous values are able to be passed through.
-
-```php
-$cid = CRM_Utils_Request::retrieve('cid', 'Positive', $this);
-$id = CRM_Utils_Request::retrieve('id', 'Positive', $this, FALSE, NULL, 'GET');
-$angPage = CRM_Utils_Request::retrieve('angPage', 'String', $this);
-if (!preg_match(':^[a-zA-Z0-9\-_/]+$:', $angPage)) {
-  CRM_Core_Error::fatal('Malformed return URL');
-}
-$backUrl = CRM_Utils_System::url('civicrm/a/#/' . $angPage);
-```
-
-What you will notice above is that one of the key things there is the usage of `CRM_Utils_Request::retrieve` This function takes in whatever request variables have been passed to the page or form etc, gets the key requested out of it, then ensures that it meets a specific type of value. The acceptable types can be found in [CRM_Utils_Type::validate](https://github.com/civicrm/civicrm-core/blob/60050425316acb3726305d1c34908074cde124c7/CRM/Utils/Type.php#L378). 
-
-## Passing variables into SQL
-
-Developers should ensure that whenever they pass variables into SQL statements that they do it in the proper standard. More information can be found in the [SQL Coding Standards](/standards/sql/).
-
-## References
-
- - Escape on Input v Escape on output [Stack exchange](https://security.stackexchange.com/questions/95325/input-sanitization-vs-output-sanitization) [Stack Overflow](https://stackoverflow.com/questions/11253532/html-xss-escape-on-input-vs-output).
--- a/docs/security/inputs.md
+++ b/docs/security/inputs.md
+# Securing your inputs
+
+## `GET` parameters
+
+Through the CiviCRM code base you will find that there are a number of times where CiviCRM takes variables passed to it through the URL e.g. `?cid=1234` or `?id=1234`. CiviCRM has put in place some inbuilt functions that help to ensure that no dangerous values are able to be passed through.
+
+```php
+$cid = CRM_Utils_Request::retrieve('cid', 'Positive', $this);
+$id = CRM_Utils_Request::retrieve('id', 'Positive', $this, FALSE, NULL, 'GET');
+$angPage = CRM_Utils_Request::retrieve('angPage', 'String', $this);
+if (!preg_match(':^[a-zA-Z0-9\-_/]+$:', $angPage)) {
+  CRM_Core_Error::fatal('Malformed return URL');
+}
+$backUrl = CRM_Utils_System::url('civicrm/a/#/' . $angPage);
+```
+
+What you will notice above is that one of the key things there is the usage of `CRM_Utils_Request::retrieve` This function takes in whatever request variables have been passed to the page or form etc, gets the key requested out of it, then ensures that it meets a specific type of value. The acceptable types can be found in [CRM_Utils_Type::validate](https://github.com/civicrm/civicrm-core/blob/60050425316acb3726305d1c34908074cde124c7/CRM/Utils/Type.php#L378). 
+
+## `POST` parameters
+
+TODO
+
--- a/docs/standards/sql.md
+++ b/docs/standards/sql.md
-# SQL Coding Standards
+# Securing your outputs
+
+## In Smarty
+
+### Between tags
+
+TODO
+
+### In attributes
+
+TODO
+
+
+## In AngularJS templates
+
+TODO
+
+
+## SQL

 When writing SQL, it is very important that developers protect against [SQL injection](https://en.wikipedia.org/wiki/SQL_injection) by ensuring that all variables are passed into SQL safely and securely.

 This page describes the inbuilt parameterization tools available for safely executing SQL.

-## `CRM_Core_DAO::executeQuery` {:#executeQuery}
+### `CRM_Core_DAO::executeQuery` {:#executeQuery}

 ```php
 $name = 'John Smith'; /* un-trusted data */
@@ -27,7 +45,7 @@ This example ensures that variables are safely escaped before being inserted int

 The variable types available for this can be found in [CRM_Utils_Type::validate](https://github.com/civicrm/civicrm-core/blob/60050425316acb3726305d1c34908074cde124c7/CRM/Utils/Type.php#L378). The query engine then applies appropriate escaping for the type.

-## `CRM_Utils_Type::escape` {:#escape}
+### `CRM_Utils_Type::escape` {:#escape}

 In some circumstances you may find that a complex query is easier to build by directly escaping values using the `CRM_Utils_Type::escape()` method. It is prefereable to use the form above or the `CRM_Utils_SQL_Select` format

@@ -37,7 +55,7 @@ $column = CRM_Utils_Type::escape('civicrm_contact.display_name', 'MysqlColumnNam
 $result = CRM_Core_DAO::executeQuery("SELECT FROM civicrm_contact WHERE $column like '%$name%'");
 ```

-## `CRM_Utils_SQL_Select`
+### `CRM_Utils_SQL_Select`

 Since CiviCRM 4.7 version there has been an alternate way of generating SQL -- use `CRM_Utils_SQL_Select`. Compared to plain `CRM_Core_DAO`, it has three advantages:

@@ -96,3 +114,15 @@ $records = CRM_Utils_SQL_Select::from('mytable')
 ```

 Further information on this method can be found in the [CRM_Utils_SQL_Select class](https://github.com/civicrm/civicrm-core/blob/6db7061/CRM/Utils/SQL/Select.php#L33)
+
+## PHP
+
+TODO
+
+https://stackoverflow.com/questions/3115559/exploitable-php-functions
+
+
+## Shell commands
+
+TODO
+
--- a/docs/secure/permissions.md
+++ b/docs/secure/permissions.md
--- a/docs/secure/reporting.md
+++ b/docs/secure/reporting.md
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -84,11 +84,13 @@ pages:
  # CiviMail: /reference/civimail.md
  # CiviReport: /reference/civireport.md
  # Payment Processing: /reference/payment.md
- Secure Coding:
-  - Introduction: secure/index.md
-  - Acess Control: secure/access.md
-  - Permissions: secure/permissions.md
-  - Reporting a Security Vulnerability: secure/reporting.md
+- Security:
+  - Secure Coding: security/index.md
+  - Securing Inputs: security/inputs.md
+  - Securing Outputs: security/outputs.md
+  - Acess Control: security/access.md
+  - Permissions: security/permissions.md
+  - Reporting a Security Vulnerability: security/reporting.md
 - API:
  - APIv3 Intro: api/index.md
  - APIv3 Usage: api/usage.md
@@ -228,9 +230,7 @@ pages:
 - Coding Standards:
  - Coding Standards: standards/index.md
  - PHP Standards: standards/php.md
-  - SQL Standards: standards/sql.md
  - Javascript Reference: standards/javascript.md
-  - Secure Coding: standards/secure.md
  # API: standards/api.md
  # Git: standards/git.md
 - Documentation: