XF 2.3 Securing an Addon

Liam C.

Liam C.

Member
Hi there, I am currently creating an addon and I'm looking to try and ensure it's as secure as possible and would like to know either thoughts or suggestions on how to improve it.

I'm currently defining each route's controller with hasPermission at the start before anything else, and returning no permission. Is this a one size fits all solution? Is there any concern?

1745155322958.webp


Second, we're handling form creation. I'm aware to use <xf:form> as it has more security with it but is there anything else I should be doing?

Third, we're soon going to be handling a very sensitive API route for a particular route accessible only to a few. I plan to assign the credentials of this API route in the config and making a class to fetch this data. Is there any concerning implications in how users could potentially abuse this?
 
If you use the built-in tools and existing source as a reference, you should be reasonably secure as a rule of thumb (but of course not a guarantee). Permissions are designed to gate actions by users and groups, so if that's what you want to do then they will help you do that. You can remove some boilerplate (or the potential to forget to guard an action) by overriding preDispatchController:

PHP: 
protected function preDispatchController($action, ParameterBag $params)
{
    if (!\XF::visitor()->hasPermission('groupId', 'permissionId'))
    {
        throw $this->exception($this->noPermission());
    }
}

Liam C. said:
Second, we're handling form creation. I'm aware to use <xf:form> as it has more security with it but is there anything else I should be doing?
Click to expand...
The most important things are probably to sanitize input (using $this->filter(...) in the controller), and to use entities (or at least the DBAL) to perform all database operations. More complex queries should use prepared statements, and failing that manual quoting, for any variable values.

Liam C. said:
Third, we're soon going to be handling a very sensitive API route for a particular route accessible only to a few. I plan to assign the credentials of this API route in the config and making a class to fetch this data. Is there any concerning implications in how users could potentially abuse this?
Click to expand...
If you mean you need to consume a third-party API and you need a place to put credentials, then you would typically use options. If they're really sensitive (ie. admins who can change options should never see them), then storing them in config.php is fine. You can fetch any value from the config out of the box:

PHP: 
$someKey = \XF::config('someKey');
 
You must log in or register to reply here.

Similar threads

chillman
Is there an addon that can be used to restrict new members from posting?
Replies
11
Views
139
Sebastiaan
Sebastiaan
xml
Securing Dovecot Email Server
Replies
11
Views
120
xml
xml
Taylor J
XF 2.3 Handling different versions of an addon
Replies
0
Views
33
Taylor J
Taylor J
Spartan
Add-on Is there an addon that will show who has replied to a thread, and how many replies each person has made in the thread?
Replies
1
Views
39
Sim
Sim
Yenxji
XF 2.2 Build an addon with a resize icon to maintain the aspect ratio issue
Replies
9
Views
115
Yenxji
Yenxji
Back
Top Bottom