mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-03-28 19:42:56 +01:00
Code Issues Projects Releases Wiki Activity

Merge branch 'MDL-67818-check-api' of https://github.com/brendanheywood/moodle

Browse Source
This commit is contained in:
Andrew Nicols 2020-04-06 11:23:39 +08:00
commit 924d50a3b8
46 changed files with 2941 additions and 1067 deletions

70
auth/none/classes/check/noauth.php Normal file

@ -0,0 +1,70 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Verifies unsupported noauth setting
*
* @package auth_none
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace auth_none\check;
defined('MOODLE_INTERNAL') || die();
use core\check\result;
/**
* Verifies unsupported noauth setting
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class noauth extends \core\check\check {
/**
* Constructor
*/
public function __construct() {
$this->id = 'noauth';
$this->name = get_string('check_noauth_name', 'auth_none');
$this->actionlink = new \action_link(
new \moodle_url('/admin/settings.php?section=manageauths'),
get_string('authsettings', 'admin'));
}
/**
* Return result
* @return result
*/
public function get_result(): result {
if (is_enabled_auth('none')) {
$status = result::ERROR;
$summary = get_string('check_noauth_error', 'auth_none');
} else {
$status = result::OK;
$summary = get_string('check_noauth_ok', 'auth_none');
}
$details = get_string('check_noauth_details', 'auth_none');
return new result($status, $summary, $details);
}
}

4
auth/none/lang/en/auth_none.php

@ -25,3 +25,7 @@
$string['auth_nonedescription'] = 'Users can sign in and create valid accounts immediately, with no authentication against an external server and no confirmation via email. Be careful using this option - think of the security and administration problems this could cause.';
$string['pluginname'] = 'No authentication';
$string['privacy:metadata'] = 'The No authentication plugin does not store any personal data.';
$string['check_noauth_details'] = '<p>The <em>No authentication</em> plugin is not intended for production sites. Please disable it unless this is a development test site.</p>';
$string['check_noauth_error'] = 'The No authentication plugin cannot be used on production sites.';
$string['check_noauth_name'] = 'No authentication';
$string['check_noauth_ok'] = 'The no authentication plugin is disabled.';

36
auth/none/lib.php Normal file

@ -0,0 +1,36 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Anybody can login with any password.
*
* @package auth_none
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
defined('MOODLE_INTERNAL') || die();
/**
* Add security check to make sure this isn't on in production.
*
* @return array check
*/
function auth_none_security_checks() {
return [new auth_none\check\noauth()];
}

2
auth/none/version.php

@ -24,6 +24,6 @@
defined('MOODLE_INTERNAL') || die();
$plugin->version = 2019111800; // The current plugin version (Date: YYYYMMDDXX)
$plugin->version = 2019111801; // The current plugin version (Date: YYYYMMDDXX)
$plugin->requires = 2019111200; // Requires this Moodle version
$plugin->component = 'auth_none'; // Full name of the plugin (used for diagnostics)

7
lang/en/moodle.php

@ -999,6 +999,7 @@ $string['changedpassword'] = 'Changed password';
$string['changepassword'] = 'Change password';
$string['changessaved'] = 'Changes saved';
$string['check'] = 'Check';
$string['checks'] = 'Checks';
$string['checkall'] = 'Check all';
$string['checkingbackup'] = 'Checking backup';
$string['checkingcourse'] = 'Checking course';
@ -1987,6 +1988,12 @@ $string['statsuserreads'] = 'Views';
$string['statsuserwrites'] = 'Posts';
$string['statswrites'] = 'Posts';
$string['status'] = 'Status';
$string['statuscritical'] = 'Critical';
$string['statusinfo'] = 'Info';
$string['statusna'] = 'N/A';
$string['statusok'] = 'OK';
$string['statuserror'] = 'Error';
$string['statuswarning'] = 'Warning';
$string['stringsnotset'] = 'The following strings are not defined in {$a}';
$string['studentnotallowed'] = 'Sorry, but you can not enter this course as \'{$a}\'';
$string['students'] = 'Students';

102
lib/classes/check/access/defaultuserrole.php Normal file

@ -0,0 +1,102 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Verifies sanity of default user role.
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\access;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Verifies sanity of default user role.
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class defaultuserrole extends check {
/**
* Constructor
*/
public function __construct() {
global $CFG;
$this->id = 'defaultuserrole';
$this->name = get_string('check_defaultuserrole_name', 'report_security');
$this->actionlink = new \action_link(
new \moodle_url('/admin/roles/define.php?action=view&roleid=' . $CFG->defaultuserroleid),
get_string('userpolicies', 'admin'));
}
/**
* Return result
* @return result
*/
public function get_result(): result {
global $DB, $CFG;
$details = '';
if (!$defaultrole = $DB->get_record('role', ['id' => $CFG->defaultuserroleid])) {
$status = result::WARNING;
$summary = get_string('check_defaultuserrole_notset', 'report_security');
return new result($status, $summary, $details);
}
// Risky caps - usually very dangerous.
$sql = "SELECT COUNT(DISTINCT rc.contextid)
FROM {role_capabilities} rc
JOIN {capabilities} cap ON cap.name = rc.capability
WHERE " . $DB->sql_bitand('cap.riskbitmask', (RISK_XSS | RISK_CONFIG | RISK_DATALOSS)) . " <> 0
AND rc.permission = :capallow
AND rc.roleid = :roleid";
$riskycount = $DB->count_records_sql($sql, [
'capallow' => CAP_ALLOW,
'roleid' => $defaultrole->id,
]);
// It may have either none or 'user' archetype - nothing else, or else it would break during upgrades badly.
if ($defaultrole->archetype === '' or $defaultrole->archetype === 'user') {
$legacyok = true;
} else {
$legacyok = false;
}
if ($riskycount or !$legacyok) {
$status = result::CRITICAL;
$summary = get_string('check_defaultuserrole_error', 'report_security', role_get_name($defaultrole));
} else {
$status = result::OK;
$summary = get_string('check_defaultuserrole_ok', 'report_security');
}
$details = get_string('check_defaultuserrole_details', 'report_security');
return new result($status, $summary, $details);
}
}

102
lib/classes/check/access/frontpagerole.php Normal file

@ -0,0 +1,102 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Verifies sanity of frontpage role
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\access;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Verifies sanity of frontpage role
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class frontpagerole extends check {
/**
* Constructor
*/
public function __construct() {
$this->id = 'frontpagerole';
$this->name = get_string('check_frontpagerole_name', 'report_security');
$this->actionlink = new \action_link(
new \moodle_url('/admin/settings.php?section=frontpagesettings#admin-defaultfrontpageroleid'),
get_string('frontpagesettings', 'admin'));
}
/**
* Return result
* @return result
*/
public function get_result(): result {
global $DB, $CFG;
if (!$frontpagerole = $DB->get_record('role', array('id' => $CFG->defaultfrontpageroleid))) {
$status = result::INFO;
$summary = get_string('check_frontpagerole_notset', 'report_security');
$details = get_string('check_frontpagerole_details', 'report_security');
return new result($status, $summary, $details);
}
// Risky caps - usually very dangerous.
$sql = "SELECT COUNT(DISTINCT rc.contextid)
FROM {role_capabilities} rc
JOIN {capabilities} cap ON cap.name = rc.capability
WHERE " . $DB->sql_bitand('cap.riskbitmask', (RISK_XSS | RISK_CONFIG | RISK_DATALOSS)) . " <> 0
AND rc.permission = :capallow
AND rc.roleid = :roleid";
$riskycount = $DB->count_records_sql($sql, [
'capallow' => CAP_ALLOW,
'roleid' => $frontpagerole->id,
]);
// There is no legacy role type for frontpage yet - anyway we can not allow teachers or admins there!
if ($frontpagerole->archetype === 'teacher' or $frontpagerole->archetype === 'editingteacher'
or $frontpagerole->archetype === 'coursecreator' or $frontpagerole->archetype === 'manager') {
$legacyok = false;
} else {
$legacyok = true;
}
if ($riskycount or !$legacyok) {
$status = result::CRITICAL;
$summary = get_string('check_frontpagerole_error', 'report_security', role_get_name($frontpagerole));
} else {
$status = result::OK;
$summary = get_string('check_frontpagerole_ok', 'report_security');
}
$details = get_string('check_frontpagerole_details', 'report_security');
return new result($status, $summary, $details);
}
}

101
lib/classes/check/access/guestrole.php Normal file

@ -0,0 +1,101 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Verifies sanity of guest role
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\access;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Verifies sanity of guest role
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class guestrole extends check {
/**
* Constructor
*/
public function __construct() {
$this->id = 'guestrole';
$this->name = get_string('check_guestrole_name', 'report_security');
$this->actionlink = new \action_link(
new \moodle_url('/admin/settings.php?section=userpolicies'),
get_string('userpolicies', 'admin'));
}
/**
* Return result
* @return result
*/
public function get_result(): result {
global $DB, $CFG;
if (!$guestrole = $DB->get_record('role', ['id' => $CFG->guestroleid])) {
$status = result::WARNING;
$summary = get_string('check_guestrole_notset', 'report_security');
return new result($status, $summary);
}
// Risky caps - usually very dangerous.
$sql = "SELECT COUNT(DISTINCT rc.contextid)
FROM {role_capabilities} rc
JOIN {capabilities} cap ON cap.name = rc.capability
WHERE " . $DB->sql_bitand('cap.riskbitmask', (RISK_XSS | RISK_CONFIG | RISK_DATALOSS)) . " <> 0
AND rc.permission = :capallow
AND rc.roleid = :roleid";
$riskycount = $DB->count_records_sql($sql, [
'capallow' => CAP_ALLOW,
'roleid' => $guestrole->id,
]);
// It may have either no or 'guest' archetype - nothing else, or else it would break during upgrades badly.
if ($guestrole->archetype === '' or $guestrole->archetype === 'guest') {
$legacyok = true;
} else {
$legacyok = false;
}
if ($riskycount or !$legacyok) {
$status = result::CRITICAL;
$summary = get_string('check_guestrole_error', 'report_security', format_string($guestrole->name));
} else {
$status = result::OK;
$summary = get_string('check_guestrole_ok', 'report_security');
}
$details = get_string('check_guestrole_details', 'report_security');
return new result($status, $summary, $details);
}
}

81
lib/classes/check/access/riskadmin.php Normal file

@ -0,0 +1,81 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Lists all admins.
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\access;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Lists all admins.
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class riskadmin extends check {
/**
* Constructor
*/
public function __construct() {
$this->id = 'riskadmin';
$this->name = get_string('check_riskadmin_name', 'report_security');
$this->actionlink = new \action_link(
new \moodle_url('/admin/roles/admins.php'),
get_string('siteadministrators', 'role'));
}
/**
* Return result
* @return result
*/
public function get_result(): result {
global $DB, $CFG;
$userfields = \user_picture::fields('u');
$sql = "SELECT $userfields
FROM {user} u
WHERE u.id IN ($CFG->siteadmins)";
$admins = $DB->get_records_sql($sql);
$admincount = count($admins);
foreach ($admins as $uid => $user) {
$url = "$CFG->wwwroot/user/view.php?id=$user->id";
$link = \html_writer::link($url, fullname($user, true) . ' (' . s($user->email) . ')');
$admins[$uid] = \html_writer::tag('li' , $link);
}
$admins = \html_writer::tag('ul', implode('', $admins));
$status = result::INFO;
$summary = get_string('check_riskadmin_ok', 'report_security', $admincount);
$details = get_string('check_riskadmin_detailsok', 'report_security', $admins);
return new result($status, $summary, $details);
}
}

61
lib/classes/check/access/riskbackup.php Normal file

@ -0,0 +1,61 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Abstract class for common properties of scheduled_task and adhoc_task.
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\access;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Lists all roles that have the ability to backup user data, as well as users
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class riskbackup extends check {
/**
* Constructor
*/
public function __construct() {
$this->id = 'riskbackup';
$this->name = get_string('check_riskbackup_name', 'report_security');
$this->actionlink = new \action_link(
new \moodle_url('/admin/roles/manage.php'),
get_string('manageroles', 'role'));
}
/**
* Return result
* @return result
*/
public function get_result(): result {
return new riskbackup_result();
}
}

196
lib/classes/check/access/riskbackup_result.php Normal file

@ -0,0 +1,196 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Lists all users with XSS risk
*
* It would be great to combine this with risk trusts in user table,
* unfortunately nobody implemented user trust UI yet :-(
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\access;
defined('MOODLE_INTERNAL') || die();
use core\check\result;
/**
* Lists all users with XSS risk
*
* It would be great to combine this with risk trusts in user table,
* unfortunately nobody implemented user trust UI yet :-(
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class riskbackup_result extends \core\check\result {
/**
* Constructor
*/
public function __construct() {
global $DB;
$syscontext = \context_system::instance();
$params = array('capability' => 'moodle/backup:userinfo', 'permission' => CAP_ALLOW, 'contextid' => $syscontext->id);
$sql = "SELECT DISTINCT r.id, r.name, r.shortname, r.sortorder, r.archetype
FROM {role} r
JOIN {role_capabilities} rc ON rc.roleid = r.id
WHERE rc.capability = :capability
AND rc.contextid = :contextid
AND rc.permission = :permission";
$this->systemroles = $DB->get_records_sql($sql, $params);
$params = array('capability' => 'moodle/backup:userinfo', 'permission' => CAP_ALLOW, 'contextid' => $syscontext->id);
$sql = "SELECT DISTINCT r.id, r.name, r.shortname, r.sortorder, r.archetype, rc.contextid
FROM {role} r
JOIN {role_capabilities} rc ON rc.roleid = r.id
WHERE rc.capability = :capability
AND rc.contextid <> :contextid
AND rc.permission = :permission";
$this->overriddenroles = $DB->get_records_sql($sql, $params);
// List of users that are able to backup personal info
// note:
// "sc" is context where is role assigned,
// "c" is context where is role overridden or system context if in role definition.
$params = [
'capability' => 'moodle/backup:userinfo',
'permission' => CAP_ALLOW,
'context1' => CONTEXT_COURSE,
'context2' => CONTEXT_COURSE,
];
$this->sqluserinfo = "
FROM (SELECT DISTINCT rcx.contextid,
rcx.roleid
FROM {role_capabilities} rcx
WHERE rcx.permission = :permission
AND rcx.capability = :capability) rc
JOIN {context} c ON c.id = rc.contextid
JOIN {context} sc ON sc.contextlevel <= :context1
JOIN {role_assignments} ra ON ra.contextid = sc.id AND ra.roleid = rc.roleid
JOIN {user} u ON u.id = ra.userid AND u.deleted = 0
WHERE (sc.path = c.path OR
sc.path LIKE " . $DB->sql_concat('c.path', "'/%'") . " OR
c.path LIKE " . $DB->sql_concat('sc.path', "'/%'") . ")
AND c.contextlevel <= :context2";
$usercount = $DB->count_records_sql("SELECT COUNT('x') FROM (SELECT DISTINCT u.id $this->sqluserinfo) userinfo", $params);
$systemrolecount = empty($this->systemroles) ? 0 : count($this->systemroles);
$overriddenrolecount = empty($this->overriddenroles) ? 0 : count($this->overriddenroles);
if (max($usercount, $systemrolecount, $overriddenrolecount) > 0) {
$this->status = result::WARNING;
} else {
$this->status = result::OK;
}
$a = (object)array(
'rolecount' => $systemrolecount,
'overridecount' => $overriddenrolecount,
'usercount' => $usercount,
);
$this->summary = get_string('check_riskbackup_warning', 'report_security', $a);
}
/**
* Showing the full list of roles may be slow so defer it
*
* @return string
*/
public function get_details(): string {
global $CFG, $DB;
$details = '';
// Make a list of roles.
if ($this->systemroles) {
$links = array();
foreach ($this->systemroles as $role) {
$role->name = role_get_name($role);
$role->url = (new \moodle_url('/admin/roles/manage.php', ['action' => 'edit', 'roleid' => $role->id]))->out();
$links[] = \html_writer::tag('li', get_string('check_riskbackup_editrole', 'report_security', $role));
}
$links = \html_writer::tag('ul', implode('', $links));
$details .= get_string('check_riskbackup_details_systemroles', 'report_security', $links);
}
// Make a list of overrides to roles.
$rolelinks2 = array();
if ($this->overriddenroles) {
$links = array();
foreach ($this->overriddenroles as $role) {
$role->name = $role->localname;
$context = context::instance_by_id($role->contextid);
$role->name = role_get_name($role, $context, ROLENAME_BOTH);
$role->contextname = $context->get_context_name();
$role->url = (new \moodle_url('/admin/roles/override.php',
['contextid' => $role->contextid, 'roleid' => $role->id]))->out();
$links[] = \html_writer::tag('li', get_string('check_riskbackup_editoverride', 'report_security', $role));
}
$links = \html_writer::tag('ul', implode('', $links));
$details .= get_string('check_riskbackup_details_overriddenroles', 'report_security', $links);
}
// Get a list of affected users as well.
$users = array();
list($sort, $sortparams) = users_order_by_sql('u');
$params = [
'capability' => 'moodle/backup:userinfo',
'permission' => CAP_ALLOW,
'context1' => CONTEXT_COURSE,
'context2' => CONTEXT_COURSE,
];
$userfields = \user_picture::fields('u');
$rs = $DB->get_recordset_sql("
SELECT DISTINCT $userfields,
ra.contextid,
ra.roleid
$this->sqluserinfo
ORDER BY $sort", array_merge($params, $sortparams));
foreach ($rs as $user) {
$context = \context::instance_by_id($user->contextid);
$url = new \moodle_url('/admin/roles/assign.php', ['contextid' => $user->contextid, 'roleid' => $user->roleid]);
$a = (object)array(
'fullname' => fullname($user),
'url' => $url->out(),
'email' => s($user->email),
'contextname' => $context->get_context_name(),
);
$users[] = \html_writer::tag('li', get_string('check_riskbackup_unassign', 'report_security', $a));
}
$rs->close();
if (!empty($users)) {
$users = \html_writer::tag('ul', implode('', $users));
$details .= get_string('check_riskbackup_details_users', 'report_security', $users);
}
return $details;
}
}

68
lib/classes/check/access/riskxss.php Normal file

@ -0,0 +1,68 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Lists all users with XSS risk
*
* It would be great to combine this with risk trusts in user table,
* unfortunately nobody implemented user trust UI yet :-(
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\access;
defined('MOODLE_INTERNAL') || die();
use core\check\result;
/**
* Lists all users with XSS risk
*
* It would be great to combine this with risk trusts in user table,
* unfortunately nobody implemented user trust UI yet :-(
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class riskxss extends \core\check\check {
/**
* Constructor
*/
public function __construct() {
$this->id = 'riskxss';
$this->name = get_string('check_riskxss_name', 'report_security');
$this->actionlink = new \action_link(
new \moodle_url('/admin/roles/manage.php'),
get_string('manageroles', 'role'));
}
/**
* Return result
* @return result
*/
public function get_result(): result {
return new riskxss_result();
}
}

105
lib/classes/check/access/riskxss_result.php Normal file

@ -0,0 +1,105 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Lists all users with XSS risk
*
* It would be great to combine this with risk trusts in user table,
* unfortunately nobody implemented user trust UI yet :-(
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\access;
defined('MOODLE_INTERNAL') || die();
use core\check\result;
/**
* Lists all users with XSS risk
*
* It would be great to combine this with risk trusts in user table,
* unfortunately nobody implemented user trust UI yet :-(
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class riskxss_result extends \core\check\result {
/**
* Constructor
*/
public function __construct() {
global $DB;
$this->params = array('capallow' => CAP_ALLOW);
$this->sqlfrom = "FROM (SELECT DISTINCT rcx.contextid, rcx.roleid
FROM {role_capabilities} rcx
JOIN {capabilities} cap ON (cap.name = rcx.capability AND
" . $DB->sql_bitand('cap.riskbitmask', RISK_XSS) . " <> 0)
WHERE rcx.permission = :capallow) rc,
{context} c,
{context} sc,
{role_assignments} ra,
{user} u
WHERE c.id = rc.contextid
AND (sc.path = c.path OR
sc.path LIKE " . $DB->sql_concat('c.path', "'/%'") . " OR
c.path LIKE " . $DB->sql_concat('sc.path', "'/%'") . ")
AND u.id = ra.userid AND u.deleted = 0
AND ra.contextid = sc.id
AND ra.roleid = rc.roleid";
$count = $DB->count_records_sql("SELECT COUNT(DISTINCT u.id) $this->sqlfrom", $this->params);
if ($count == 0) {
$this->status = result::OK;
} else {
$this->status = result::WARNING;
}
$this->summary = get_string('check_riskxss_warning', 'report_security', $count);
}
/**
* Showing the full list of user may be slow so defer it
*
* @return string
*/
public function get_details(): string {
global $CFG, $DB;
$userfields = \user_picture::fields('u');
$users = $DB->get_records_sql("SELECT DISTINCT $userfields $this->sqlfrom", $this->params);
foreach ($users as $uid => $user) {
$url = "$CFG->wwwroot/user/view.php?id=$user->id";
$link = \html_writer::link($url, fullname($user, true) . ' (' . s($user->email) . ')');
$users[$uid] = \html_writer::tag('li' , $link);
}
$users = \html_writer::tag('ul', implode('', $users));
return get_string('check_riskxss_details', 'report_security', $users);
}
}

126
lib/classes/check/check.php Normal file

@ -0,0 +1,126 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Base class for checks
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check;
defined('MOODLE_INTERNAL') || die();
/**
* Base class for checks
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
abstract class check {
/**
* @var $string $component - The component / plugin this task belongs to.
*
* This is autopopulated by the check manager.
*/
protected $component = 'core';
/**
* @var string $id - Should be unique identifier within a component.
*/
protected $id = '';
/**
* @var string $name - Name for the check, should be the same regardless of state.
*/
protected $name = '';
/**
* @var action_link - an optional link to a place to address the check.
*/
protected $actionlink = null;
/**
* Get the frankenstyle component name
*
* @return string
*/
public function get_component(): string {
return $this->component;
}
/**
* Get the frankenstyle component name
*
* @param string $component name
*/
public function set_component(string $component) {
$this->component = $component;
}
/**
* Get the check's id
*
* @return string must be unique for it's component
*/
public function get_id(): string {
return $this->id;
}
/**
* Get the check reference
*
* @return string must be globally unique
*/
public function get_ref(): string {
$ref = $this->get_component();
if (!empty($ref)) {
$ref .= '_';
}
$ref .= $this->get_id();
return $ref;
}
/**
* Get the short check name
*
* @return string
*/
public function get_name(): string {
return $this->name;
}
/**
* A link to a place to action this
*
* @return action_link|null
*/
public function get_action_link(): ?\action_link {
return $this->actionlink;
}
/**
* Return the result
*
* @return result object
*/
abstract public function get_result(): result;
}

70
lib/classes/check/environment/configrw.php Normal file

@ -0,0 +1,70 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Verifies config.php is not writable anymore after installation
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\environment;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Verifies config.php is not writable anymore after installation
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class configrw extends check {
/**
* Constructor
*/
public function __construct() {
global $CFG;
$this->id = 'configrw';
$this->name = get_string('check_configrw_name', 'report_security');
}
/**
* Return result
* @return result
*/
public function get_result(): result {
global $CFG;
$details = get_string('check_configrw_details', 'report_security');
if (is_writable($CFG->dirroot . '/config.php')) {
$status = result::WARNING;
$summary = get_string('check_configrw_warning', 'report_security');
} else {
$status = result::OK;
$summary = get_string('check_configrw_ok', 'report_security');
}
return new result($status, $summary, $details);
}
}

75
lib/classes/check/environment/displayerrors.php Normal file

@ -0,0 +1,75 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Verifies displaying of errors
*
* Problem for lib files and 3rd party code because we can not disable debugging
* in these scripts (they do not include config.php)
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\environment;
defined('MOODLE_INTERNAL') || die();
use core\check\result;
use core\check\check;
/**
* Verifies displaying of errors
*
* Problem for lib files and 3rd party code because we can not disable debugging
* in these scripts (they do not include config.php)
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class displayerrors extends check {
/**
* Constructor
*/
public function __construct() {
$this->id = 'displayerrors';
$this->name = get_string('check_displayerrors_name', 'report_security');
}
/**
* Return result
* @return result
*/
public function get_result(): result {
$details = get_string('check_displayerrors_details', 'report_security');
if (defined('WARN_DISPLAY_ERRORS_ENABLED')) {
$status = result::WARNING;
$summary = get_string('check_displayerrors_error', 'report_security');
} else {
$status = result::OK;
$summary = get_string('check_displayerrors_ok', 'report_security');
}
return new result($status, $summary, $details);
}
}

69
lib/classes/check/environment/nodemodules.php Normal file

@ -0,0 +1,69 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Check the presence of the node_modules directory.
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\environment;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Check the presence of the node_modules directory.
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class nodemodules extends check {
/**
* Constructor
*/
public function __construct() {
global $CFG;
$this->id = 'nodemodules';
$this->name = get_string('check_nodemodules_name', 'report_security');
}
/**
* Return result
* @return result
*/
public function get_result(): result {
global $CFG;
$summary = get_string('check_nodemodules_info', 'report_security');
$details = get_string('check_nodemodules_details', 'report_security', ['path' => $CFG->dirroot . '/node_modules']);
if (is_dir($CFG->dirroot . '/node_modules')) {
$status = result::WARNING;
} else {
$status = result::OK;
}
return new result($status, $summary, $details);
}
}

70
lib/classes/check/environment/preventexecpath.php Normal file

@ -0,0 +1,70 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Verifies the status of preventexecpath
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\environment;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Verifies the status of preventexecpath
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class preventexecpath extends check {
/**
* Constructor
*/
public function __construct() {
global $CFG;
$this->id = 'preventexecpath';
$this->name = get_string('check_preventexecpath_name', 'report_security');
}
/**
* Return result
* @return result
*/
public function get_result(): result {
global $CFG;
$details = get_string('check_preventexecpath_details', 'report_security');
if (empty($CFG->preventexecpath)) {
$status = result::WARNING;
$summary = get_string('check_preventexecpath_warning', 'report_security');
} else {
$status = result::OK;
$summary = get_string('check_preventexecpath_ok', 'report_security');
}
return new result($status, $summary, $details);
}
}

82
lib/classes/check/environment/unsecuredataroot.php Normal file

@ -0,0 +1,82 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Verifies fatal misconfiguration of dataroot
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\environment;
defined('MOODLE_INTERNAL') || die();
use core\check\result;
/**
* Verifies fatal misconfiguration of dataroot
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class unsecuredataroot extends \core\check\check {
/**
* Constructor
*/
public function __construct() {
global $CFG;
$this->id = 'unsecuredataroot';
$this->name = get_string('check_unsecuredataroot_name', 'report_security');
}
/**
* Return result
* @return result
*/
public function get_result(): result {
global $CFG;
require_once($CFG->libdir.'/adminlib.php');
$details = get_string('check_unsecuredataroot_details', 'report_security');
$insecuredataroot = is_dataroot_insecure(true);
if ($insecuredataroot == INSECURE_DATAROOT_WARNING) {
$status = result::ERROR;
$summary = get_string('check_unsecuredataroot_warning', 'report_security', $CFG->dataroot);
} else if ($insecuredataroot == INSECURE_DATAROOT_ERROR) {
$status = result::CRITICAL;
$summary = get_string('check_unsecuredataroot_error', 'report_security', $CFG->dataroot);
} else {
$status = result::OK;
$summary = get_string('check_unsecuredataroot_ok', 'report_security');
}
return new result($status, $summary, $details);
}
}

69
lib/classes/check/environment/vendordir.php Normal file

@ -0,0 +1,69 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Check the presence of the vendor directory.
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\environment;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Check the presence of the vendor directory.
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class vendordir extends check {
/**
* Constructor
*/
public function __construct() {
global $CFG;
$this->id = 'vendordir';
$this->name = get_string('check_vendordir_name', 'report_security');
}
/**
* Return result
* @return result
*/
public function get_result(): result {
global $CFG;
$details = get_string('check_vendordir_details', 'report_security', ['path' => $CFG->dirroot.'/vendor']);
$summary = get_string('check_vendordir_info', 'report_security');
if (is_dir($CFG->dirroot.'/vendor')) {
$status = result::WARNING;
} else {
$status = result::OK;
}
return new result($status, $summary, $details);
}
}

82
lib/classes/check/http/cookiesecure.php Normal file

@ -0,0 +1,82 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Verifies if https enabled only secure cookies allowed
*
* This prevents redirections and sending of cookies to unsecure port.
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\http;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Verifies if https enabled only secure cookies allowed
*
* This prevents redirections and sending of cookies to unsecure port.
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class cookiesecure extends check {
/**
* Constructor
*/
public function __construct() {
$this->id = 'cookiesecure';
$this->name = get_string('check_cookiesecure_name', 'report_security');
$this->actionlink = new \action_link(
new \moodle_url('/admin/settings.php?section=httpsecurity#admin-cookiesecure'),
get_string('httpsecurity', 'admin'));
}
/**
* Return result
* @return result
*/
public function get_result(): result {
global $CFG;
$details = get_string('check_cookiesecure_details', 'report_security');
if (!is_https()) {
$status = result::WARNING;
$summary = get_string('check_cookiesecure_http', 'report_security');
return new result($status, $summary, $details);
}
if (!is_moodle_cookie_secure()) {
$status = result::ERROR;
$summary = get_string('check_cookiesecure_error', 'report_security');
} else {
$status = result::OK;
$summary = get_string('check_cookiesecure_ok', 'report_security');
}
return new result($status, $summary, $details);
}
}

103
lib/classes/check/manager.php Normal file

@ -0,0 +1,103 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Check API manager
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check;
defined('MOODLE_INTERNAL') || die();
/**
* Check API manager
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class manager {
/**
* The list of valid check types
*/
public const TYPES = ['security'];
/**
* Return all status checks
*
* @param string $type of checks to fetch
* @return array of check objects
*/
public static function get_checks(string $type): array {
if (!in_array($type, self::TYPES)) {
throw new \moodle_exception("Invalid check type '$type'");
}
$method = 'get_' . $type . '_checks';
$checks = self::$method();
return $checks;
}
/**
* Return all security checks
*
* @return array of check objects
*/
public static function get_security_checks(): array {
$checks = [
new environment\displayerrors(),
new environment\unsecuredataroot(),
new environment\vendordir(),
new environment\nodemodules(),
new environment\configrw(),
new environment\preventexecpath(),
new security\mediafilterswf(),
new security\embed(),
new security\openprofiles(),
new security\crawlers(),
new security\passwordpolicy(),
new security\emailchangeconfirmation(),
new security\webcron(),
new http\cookiesecure(),
new access\riskadmin(),
new access\riskxss(),
new access\riskbackup(),
new access\defaultuserrole(),
new access\guestrole(),
new access\frontpagerole(),
];
// Any plugin can add security checks to this report by implementing a callback
// <component>_security_checks() which returns a check object.
$morechecks = get_plugins_with_function('security_checks', 'lib.php');
foreach ($morechecks as $plugintype => $plugins) {
foreach ($plugins as $plugin => $pluginfunction) {
$result = $pluginfunction();
foreach ($result as $check) {
$check->set_component($plugintype . '_' . $plugin);
$checks[] = $check;
}
}
}
return $checks;
}
}

192
lib/classes/check/result.php Normal file

@ -0,0 +1,192 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* A check result class
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check;
defined('MOODLE_INTERNAL') || die();
/**
* A check object returns a result object
*
* Most checks can use this an instance of this directly but if you have a
* 'details' which is computationally expensive then extend this and overide
* the get_details() method so that it is only called when it will be needed.
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class result implements \renderable {
/**
* This is used to notify if a check does not apply.
*
* In most cases if a check doesn't apply a check object shouldn't be made.
* This state exists for when you always want visibilty of the check itself.
* Can be useful for a check which depends on another check and it helps
* focus on the other check which matters more.
*/
const NA = 'na';
/**
* Ideally all checks should be ok.
*/
const OK = 'ok';
/**
* This is used to show info for a check.
*
* This is equivalent to OK but could be used for alerting to potential
* future warnings such as a deprecation in a service.
*/
const INFO = 'info';
/**
* This means we could not determine the state.
*
* An example might be an expensive check done via cron, and it has never run.
* It would be prudent to consider an unknown check as a warning or error.
*/
const UNKNOWN = 'unknown';
/**
* Warnings
*
* Something is not ideal and should be addressed, eg usability or the
* speed of the site may be affected, but it may self heal (eg a load spike)
*/
const WARNING = 'warning';
/**
* This is used to notify if a check failed.
*
* Something is wrong with a component and a feature is not working.
*/
const ERROR = 'error';
/**
* This is used to notify if a check is a major critical issue.
*
* An error which is affecting everyone in a major way.
*/
const CRITICAL = 'critical';
/**
* @var string $state - state
*/
protected $state = self::UNKNOWN;
/**
* @var string summary - should be roughly 1 line of plain text and may change depending on the state.
*/
protected $summary = '';
/**
* @var string details about check.
*
* This may be a large amount of preformatted html text, possibly describing all the
* different states and actions to address them.
*/
protected $details = '';
/**
* Get the check reference label
*
* @return string must be globally unique
*/
public function get_ref(): string {
$ref = $this->get_component();
if (!empty($ref)) {
$ref .= '_';
}
$ref .= $this->get_id();
return $ref;
}
/**
* Constructor
*
* @param int $status code
* @param string $summary a 1 liner summary
* @param string $details as a html chunk
*/
public function __construct($status, $summary, $details = '') {
$this->status = $status;
$this->summary = $summary;
$this->details = $details;
}
/**
* Get the check status
*
* @return string one of the consts eg result::OK
*/
public function get_status(): string {
return $this->status;
}
/**
* Summary of the check
* @return string formatted html
*/
public function get_summary(): string {
return $this->summary;
}
/**
* Get the check detailed info
* @return string formatted html
*/
public function get_details(): string {
return $this->details;
}
/**
* Export this data so it can be used as the context for a mustache template.
*
* @param renderer_base $output typically, the renderer that's calling this function
* @return stdClass data context for a mustache template
*/
public function export_for_template(\renderer_base $output) {
return array(
'status' => clean_text(get_string('status' . $this->status)),
'isna' => $this->status === self::NA,
'isok' => $this->status === self::OK,
'isinfo' => $this->status === self::INFO,
'isunknown' => $this->status === self::UNKNOWN,
'iswarning' => $this->status === self::WARNING,
'iserror' => $this->status === self::ERROR,
'iscritical' => $this->status === self::CRITICAL,
);
}
/**
* Which mustache template?
*
* @return string path to mustache template
*/
public function get_template_name(): string {
return 'core/check/result';
}
}

81
lib/classes/check/security/crawlers.php Normal file

@ -0,0 +1,81 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Verifies web crawler (search engine) access
*
* Not combined with disabled guest access because attackers might gain guest
* access by modifying browser signature.
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\security;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Verifies web crawler (search engine) access
*
* Not combined with disabled guest access because attackers might gain guest
* access by modifying browser signature.
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class crawlers extends check {
/**
* Constructor
*/
public function __construct() {
$this->id = 'crawlers';
$this->name = get_string('check_crawlers_name', 'report_security');
$this->actionlink = new \action_link(
new \moodle_url('/admin/settings.php?section=sitepolicies#admin-opentowebcrawlers'),
get_string('sitepolicies', 'admin'));
}
/**
* Return result
* @return result
*/
public function get_result(): result {
global $CFG;
$details = get_string('check_crawlers_details', 'report_security');
if (empty($CFG->opentowebcrawlers)) {
$status = result::OK;
$summary = get_string('check_crawlers_ok', 'report_security');
} else if (!empty($CFG->guestloginbutton)) {
$status = result::INFO;
$summary = get_string('check_crawlers_info', 'report_security');
} else {
$status = result::ERROR;
$summary = get_string('check_crawlers_error', 'report_security');
}
return new result($status, $summary, $details);
}
}

77
lib/classes/check/security/emailchangeconfirmation.php Normal file

@ -0,0 +1,77 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Verifies email confirmation - spammers were changing mails very often
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\security;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Verifies email confirmation - spammers were changing mails very often
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class emailchangeconfirmation extends check {
/**
* Constructor
*/
public function __construct() {
$this->id = 'emailchangeconfirmation';
$this->name = get_string('check_emailchangeconfirmation_name', 'report_security');
$this->actionlink = new \action_link(
new \moodle_url('/admin/settings.php?section=sitepolicies#admin-emailchangeconfirmation'),
get_string('sitepolicies', 'admin'));
}
/**
* Return result
* @return result
*/
public function get_result(): result {
global $CFG;
$details = get_string('check_emailchangeconfirmation_details', 'report_security');
if (empty($CFG->emailchangeconfirmation)) {
if (empty($CFG->allowemailaddresses)) {
$status = result::WARNING;
$summary = get_string('check_emailchangeconfirmation_error', 'report_security');
} else {
$status = result::INFO;
$summary = get_string('check_emailchangeconfirmation_info', 'report_security');
}
} else {
$status = result::OK;
$summary = get_string('check_emailchangeconfirmation_ok', 'report_security');
}
return new result($status, $summary, $details);
}
}

71
lib/classes/check/security/embed.php Normal file

@ -0,0 +1,71 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Verifies sloppy embedding - this should have been removed long ago!!
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\security;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Verifies sloppy embedding - this should have been removed long ago!!
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class embed extends check {
/**
* Constructor
*/
public function __construct() {
$this->id = 'embed';
$this->name = get_string('check_embed_name', 'report_security');
$this->actionlink = new \action_link(
new \moodle_url('/admin/settings.php?section=sitepolicies#admin-allowobjectembed'),
get_string('sitepolicies', 'admin'));
}
/**
* Return result
* @return result
*/
public function get_result(): result {
global $CFG;
$details = get_string('check_embed_details', 'report_security');
if (!empty($CFG->allowobjectembed)) {
$status = result::ERROR;
$summary = get_string('check_embed_error', 'report_security');
} else {
$status = result::OK;
$summary = get_string('check_embed_ok', 'report_security');
}
return new result($status, $summary, $details);
}
}

75
lib/classes/check/security/mediafilterswf.php Normal file

@ -0,0 +1,75 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Verifies sloppy swf embedding - this should have been removed long ago!!
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\security;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Verifies sloppy swf embedding - this should have been removed long ago!!
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class mediafilterswf extends check {
/**
* Constructor
*/
public function __construct() {
global $CFG;
$this->id = 'mediafilterswf';
$this->name = get_string('check_mediafilterswf_name', 'report_security');
$this->actionlink = new \action_link(
new \moodle_url('/admin/settings.php?section=managemediaplayers'),
get_string('managemediaplayers', 'media'));
}
/**
* Return result
* @return result
*/
public function get_result(): result {
$details = get_string('check_mediafilterswf_details', 'report_security');
$activefilters = filter_get_globally_enabled();
$enabledmediaplayers = \core\plugininfo\media::get_enabled_plugins();
if (array_search('mediaplugin', $activefilters) !== false and array_key_exists('swf', $enabledmediaplayers)) {
$status = result::CRITICAL;
$summary = get_string('check_mediafilterswf_error', 'report_security');
} else {
$status = result::OK;
$summary = get_string('check_mediafilterswf_ok', 'report_security');
}
return new result($status, $summary, $details);
}
}

72
lib/classes/check/security/openprofiles.php Normal file

@ -0,0 +1,72 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Verifies open profiles - originally open by default, not anymore because spammer abused it a lot
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\security;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Verifies open profiles - originally open by default, not anymore because spammer abused it a lot
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class openprofiles extends check {
/**
* Constructor
*/
public function __construct() {
$this->id = 'openprofiles';
$this->name = get_string('check_openprofiles_name', 'report_security');
$this->actionlink = new \action_link(
new \moodle_url('/admin/settings.php?section=sitepolicies#admin-forcelogin'),
get_string('sitepolicies', 'admin'));
}
/**
* Return result
* @return result
*/
public function get_result(): result {
global $CFG;
$details = get_string('check_openprofiles_details', 'report_security');
if (empty($CFG->forcelogin) and empty($CFG->forceloginforprofiles)) {
$status = result::WARNING;
$summary = get_string('check_openprofiles_error', 'report_security');
} else {
$status = result::OK;
$summary = get_string('check_openprofiles_ok', 'report_security');
}
return new result($status, $summary, $details);
}
}

71
lib/classes/check/security/passwordpolicy.php Normal file

@ -0,0 +1,71 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Verifies if password policy set
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\security;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Verifies if password policy set
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class passwordpolicy extends check {
/**
* Constructor
*/
public function __construct() {
$this->id = 'passwordpolicy';
$this->name = get_string('check_passwordpolicy_name', 'report_security');
$this->actionlink = new \action_link(
new \moodle_url('/admin/settings.php?section=sitepolicies#admin-passwordpolicy'),
get_string('sitepolicies', 'admin'));
}
/**
* Return result
* @return result
*/
public function get_result(): result {
global $CFG;
$details = get_string('check_passwordpolicy_details', 'report_security');
if (empty($CFG->passwordpolicy)) {
$status = result::WARNING;
$summary = get_string('check_passwordpolicy_error', 'report_security');
} else {
$status = result::OK;
$summary = get_string('check_passwordpolicy_ok', 'report_security');
}
return new result($status, $summary, $details);
}
}

75
lib/classes/check/security/webcron.php Normal file

@ -0,0 +1,75 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Verifies the status of web cron
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\security;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Verifies the status of web cron
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class webcron extends check {
/**
* Constructor
*/
public function __construct() {
$this->id = 'webcron';
$this->name = get_string('check_webcron_name', 'report_security');
$this->actionlink = new \action_link(
new \moodle_url('/admin/settings.php?section=sitepolicies#admin-cronclionly'),
get_string('sitepolicies', 'admin'));
}
/**
* Return result
* @return result
*/
public function get_result(): result {
global $CFG;
$croncli = $CFG->cronclionly;
$cronremotepassword = $CFG->cronremotepassword;
if (empty($croncli) && empty($cronremotepassword)) {
$status = result::WARNING;
$summary = get_string('check_webcron_warning', 'report_security');
} else {
$status = result::OK;
$summary = get_string('check_webcron_ok', 'report_security');
}
$details = get_string('check_webcron_details', 'report_security');
return new result($status, $summary, $details);
}
}

20
lib/outputrenderers.php

@ -1689,6 +1689,26 @@ class core_renderer extends renderer_base {
return $this->render_from_template('core/action_menu', $context);
}
/**
* Renders a Check API result
*
* @param result $result
* @return string HTML fragment
*/
protected function render_result(core\check\result $result) {
return $this->render_from_template($result->get_template_name(), $result->export_for_template($this));
}
/**
* Renders a Check API result
*
* @param result $result
* @return string HTML fragment
*/
public function result(core\check\result $result) {
return $this->render_result($result);
}
/**
* Renders an action_menu_link item.
*

57
lib/templates/check/result.mustache Normal file

@ -0,0 +1,57 @@
{{!
This file is part of Moodle - http://moodle.org/
Moodle is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
Moodle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Moodle. If not, see <http://www.gnu.org/licenses/>.
}}
{{!
@template core/result
Moodle Check API result template.
The purpose of this template is to render result.
Classes required for JS:
* none
Data attributes required for JS:
* none
Context variables required for this template:
* status eg Ok, Warning
Example context (json):
{ "status": "OK"}
}}
{{#isna}}
{{> core/check/result/na}}
{{/isna}}
{{#isok}}
{{> core/check/result/ok}}
{{/isok}}
{{#isinfo}}
{{> core/check/result/info}}
{{/isinfo}}
{{#isunknown}}
{{> core/check/result/unknown}}
{{/isunknown}}
{{#iswarning}}
{{> core/check/result/warning}}
{{/iswarning}}
{{#iserror}}
{{> core/check/result/error}}
{{/iserror}}
{{#iscritical}}
{{> core/check/result/critical}}
{{/iscritical}}

36
lib/templates/check/result/critical.mustache Normal file

@ -0,0 +1,36 @@
{{!
This file is part of Moodle - http://moodle.org/
Moodle is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
Moodle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Moodle. If not, see <http://www.gnu.org/licenses/>.
}}
{{!
@template core/check/result/critical
Moodle Check API result template.
The purpose of this template is to render result.
Classes required for JS:
* none
Data attributes required for JS:
* none
Context variables required for this template:
* status eg Ok, Warning
Example context (json):
{ "status": "OK"}
}}
<span class="badge badge-danger">{{status}}</span>

36
lib/templates/check/result/error.mustache Normal file

@ -0,0 +1,36 @@
{{!
This file is part of Moodle - http://moodle.org/
Moodle is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
Moodle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Moodle. If not, see <http://www.gnu.org/licenses/>.
}}
{{!
@template core/check/result/critical
Moodle Check API result template.
The purpose of this template is to render result.
Classes required for JS:
* none
Data attributes required for JS:
* none
Context variables required for this template:
* status eg Ok, Warning
Example context (json):
{ "status": "OK"}
}}
<span class="badge badge-danger">{{status}}</span>

36
lib/templates/check/result/info.mustache Normal file

@ -0,0 +1,36 @@
{{!
This file is part of Moodle - http://moodle.org/
Moodle is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
Moodle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Moodle. If not, see <http://www.gnu.org/licenses/>.
}}
{{!
@template core/check/result/info
Moodle Check API result template.
The purpose of this template is to render result.
Classes required for JS:
* none
Data attributes required for JS:
* none
Context variables required for this template:
* status eg Ok, Warning
Example context (json):
{ "status": "OK"}
}}
<span class="badge badge-info">{{status}}</span>

36
lib/templates/check/result/na.mustache Normal file

@ -0,0 +1,36 @@
{{!
This file is part of Moodle - http://moodle.org/
Moodle is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
Moodle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Moodle. If not, see <http://www.gnu.org/licenses/>.
}}
{{!
@template core/check/result/na
Moodle Check API result template.
The purpose of this template is to render result.
Classes required for JS:
* none
Data attributes required for JS:
* none
Context variables required for this template:
* status eg Ok, Warning
Example context (json):
{ "status": "OK"}
}}
<span class="badge badge-secondary">{{status}}</span>

36
lib/templates/check/result/ok.mustache Normal file

@ -0,0 +1,36 @@
{{!
This file is part of Moodle - http://moodle.org/
Moodle is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
Moodle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Moodle. If not, see <http://www.gnu.org/licenses/>.
}}
{{!
@template core/check/result/ok
Moodle Check API result template.
The purpose of this template is to render result.
Classes required for JS:
* none
Data attributes required for JS:
* none
Context variables required for this template:
* status eg Ok, Warning
Example context (json):
{ "status": "OK"}
}}
<span class="badge badge-success">{{status}}</span>

36
lib/templates/check/result/unknown.mustache Normal file

@ -0,0 +1,36 @@
{{!
This file is part of Moodle - http://moodle.org/
Moodle is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
Moodle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Moodle. If not, see <http://www.gnu.org/licenses/>.
}}
{{!
@template core/check/result/unknown
Moodle Check API result template.
The purpose of this template is to render result.
Classes required for JS:
* none
Data attributes required for JS:
* none
Context variables required for this template:
* status eg Ok, Warning
Example context (json):
{ "status": "OK"}
}}
<span class="badge badge-success">{{status}}</span>

36
lib/templates/check/result/warning.mustache Normal file

@ -0,0 +1,36 @@
{{!
This file is part of Moodle - http://moodle.org/
Moodle is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
Moodle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Moodle. If not, see <http://www.gnu.org/licenses/>.
}}
{{!
@template core/check/result/warning
Moodle Check API result template.
The purpose of this template is to render result.
Classes required for JS:
* none
Data attributes required for JS:
* none
Context variables required for this template:
* status eg Ok, Warning
Example context (json):
{ "status": "OK"}
}}
<span class="badge badge-warning">{{status}}</span>

64
lib/tests/check_test.php Normal file

@ -0,0 +1,64 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Check API unit tests
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
defined('MOODLE_INTERNAL') || die();
use core\check\result;
/**
* Example unit tests for check API
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class check_testcase extends advanced_testcase {
/**
* A simple example showing how a check and result object works
*
* Conceptually a check is analgous to a unit test except at runtime
* instead of build time so many checks in real life such as testing
* an API is connecting aren't viable to unit test.
*/
public function test_passwordpolicy() {
global $CFG;
$prior = $CFG->passwordpolicy;
$check = new core\check\security\passwordpolicy();
$CFG->passwordpolicy = false;
$result = $check->get_result();
$this->assertEquals($result->status, result::WARNING);
$CFG->passwordpolicy = true;
$result = $check->get_result();
$this->assertEquals($result->status, result::OK);
$CFG->passwordpolicy = $prior;
}
}

75
report/security/classes/event/report_viewed.php Normal file

@ -0,0 +1,75 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* The report_security report viewed event.
*
* @package report_security
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace report_security\event;
defined('MOODLE_INTERNAL') || die();
/**
* The report_loglive report viewed event class.
*
* @package report_security
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class report_viewed extends \core\event\base {
/**
* Init method.
*
* @return void
*/
protected function init() {
$this->data['crud'] = 'r';
$this->data['edulevel'] = self::LEVEL_OTHER;
}
/**
* Return localised event name.
*
* @return string
*/
public static function get_name() {
return get_string('eventreportviewed', 'report_security');
}
/**
* Returns description of what happened.
*
* @return string
*/
public function get_description() {
return "The user with id '$this->userid' viewed the security check report.";
}
/**
* Returns relevant URL.
*
* @return \moodle_url
*/
public function get_url() {
return new \moodle_url('/report/security/index.php');
}
}

141
report/security/index.php

@ -17,8 +17,7 @@
/**
* Security overview report
*
* @package report
* @subpackage security
* @package report_security
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
@ -26,101 +25,89 @@
define('NO_OUTPUT_BUFFERING', true);
require('../../config.php');
require_once($CFG->dirroot.'/report/security/locallib.php');
require_once($CFG->libdir.'/adminlib.php');
use core\check\check;
use core\check\result;
$issue = optional_param('issue', '', PARAM_ALPHANUMEXT); // show detailed info about one issue only
// Print the header.
admin_externalpage_setup('reportsecurity', '', null, '', ['pagelayout' => 'report']);
$issues = report_security_get_issue_list();
// test if issue valid string
if (array_search($issue, $issues, true) === false) {
$issue = '';
}
// we may need a bit more memory and this may take a long time to process
// We may need a bit more memory and this may take a long time to process.
raise_memory_limit(MEMORY_EXTRA);
core_php_time_limit::raise();
// Print the header.
admin_externalpage_setup('reportsecurity', '', null, '', array('pagelayout'=>'report'));
echo $OUTPUT->header();
$checks = \core\check\manager::get_security_checks();
$detail = optional_param('detail', '', PARAM_TEXT); // Show detailed info about one check only.
if ($detail) {
$checks = array_filter($checks, function($check) use ($detail) {
return $detail == $check->get_ref();
});
$checks = array_values($checks);
if (!empty($checks)) {
$PAGE->set_docs_path('report/security/index.php?detail=' . $detail);
$PAGE->navbar->add($checks[0]->get_name());
}
}
echo $OUTPUT->header();
echo $OUTPUT->heading(get_string('pluginname', 'report_security'));
echo '<div id="timewarning">'.get_string('timewarning', 'report_security').'</div>';
$strok = '<span class="badge badge-success">'.get_string('statusok', 'report_security').'</span>';
$strinfo = '<span class="badge badge-info">'.get_string('statusinfo', 'report_security').'</span>';
$strwarning = '<span class="badge badge-warning">'.get_string('statuswarning', 'report_security').'</span>';
$strserious = '<span class="badge badge-danger">'.get_string('statusserious', 'report_security').'</span>';
$strcritical = '<span class="badge badge-danger">'.get_string('statuscritical', 'report_security').'</span>';
$strissue = get_string('issue', 'report_security');
$strstatus = get_string('status', 'report_security');
$strdesc = get_string('description', 'report_security');
$strconfig = get_string('configuration', 'report_security');
$statusarr = array(REPORT_SECURITY_OK => $strok,
REPORT_SECURITY_INFO => $strinfo,
REPORT_SECURITY_WARNING => $strwarning,
REPORT_SECURITY_SERIOUS => $strserious,
REPORT_SECURITY_CRITICAL => $strcritical);
echo '<div id="timewarning">' . get_string('timewarning', 'report_security') . '</div>';
$url = "$CFG->wwwroot/report/security/index.php";
if ($issue and ($result = $issue(true))) {
report_security_hide_timearning();
$PAGE->requires->js_init_code("Y.one('#timewarning').addClass('timewarninghidden')");
$table = new html_table();
$table->data = [];
$table->head = [
get_string('status'),
get_string('check'),
get_string('summary'),
get_string('action'),
];
$table->colclasses = [
'rightalign status',
'leftalign check',
'leftalign summary',
'leftalign action',
];
$table->id = 'securityreporttable';
$table->attributes = ['class' => 'admintable securityreport generaltable'];
$table = new html_table();
$table->head = array($strissue, $strstatus, $strdesc, $strconfig);
$table->rowclasses = array('leftalign issue', 'leftalign status', 'leftalign desc', 'leftalign config');
$table->attributes = array('class'=>'admintable securityreport generaltable');
$table->id = 'securityissuereporttable';
$table->data = array();
$manager = core_plugin_manager::instance();
// print detail of one issue only
$row = array();
$row[0] = report_security_doc_link($issue, $result->name);
$row[1] = $statusarr[$result->status];
$row[2] = $result->info;
$row[3] = is_null($result->link) ? '&nbsp;' : $result->link;
foreach ($checks as $check) {
$ref = $check->get_ref();
$result = $check->get_result();
$component = $check->get_component();
$actionlink = $check->get_action_link();
$PAGE->set_docs_path('report/security/' . $issue);
$link = new \moodle_url('/report/security/index.php', ['detail' => $ref]);
$row = [];
$row[] = $OUTPUT->result($result);
$row[] = $OUTPUT->action_link($link, $check->get_name());
$row[] = $result->get_summary();
if ($actionlink) {
$row[] = $OUTPUT->render($actionlink);
} else {
$row[] = '';
}
$table->data[] = $row;
}
echo html_writer::table($table);
echo html_writer::table($table);
echo $OUTPUT->box($result->details, 'generalbox boxwidthnormal boxaligncenter'); // TODO: add proper css
if ($detail && $result) {
echo $OUTPUT->heading(get_string('description'), 3);
echo $OUTPUT->box($result->get_details(), 'generalbox boxwidthnormal boxaligncenter');
echo $OUTPUT->continue_button($url);
} else {
report_security_hide_timearning();
$table = new html_table();
$table->head = array($strissue, $strstatus, $strdesc);
$table->colclasses = array('leftalign issue', 'leftalign status', 'leftalign desc');
$table->attributes = array('class'=>'admintable securityreport generaltable');
$table->id = 'securityreporttable';
$table->data = array();
foreach ($issues as $issue) {
$result = $issue(false);
if (!$result) {
// ignore this test
continue;
}
$row = array();
$row[0] = "<a href='$url?issue=$result->issue'>$result->name</a>";
$row[1] = $statusarr[$result->status];
$row[2] = $result->info;
$table->data[] = $row;
}
echo html_writer::table($table);
}
echo $OUTPUT->footer();
$event = \report_security\event\report_viewed::create(['context' => context_system::instance()]);
$event->trigger();

25
report/security/lang/en/report_security.php

@ -17,8 +17,7 @@
/**
* Lang strings
*
* @package report
* @subpackage security
* @package report_security
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
@ -26,13 +25,14 @@
$string['configuration'] = 'Configuration';
$string['description'] = 'Description';
$string['details'] = 'Details';
$string['check_configrw_details'] = '<p>It is recommended that the file permissions of config.php are changed after installation so that the file cannot be modified by the web server.
$string['check_configrw_details'] = '<p>It is recommended that the file permissions of <code>config.php</code> are changed after installation so that the file cannot be modified by the web server.
Please note that this measure does not improve security of the server significantly, though it may slow down or limit general exploits.</p>';
$string['check_configrw_name'] = 'Writable config.php';
$string['check_configrw_ok'] = 'config.php can not be modified by PHP scripts.';
$string['check_configrw_warning'] = 'PHP scripts may modify config.php.';
$string['check_cookiesecure_details'] = '<p>If https communication is enabled, it is recommended to enable sending of secure cookies. You should have permanent redirection from http to https and ideally serve HSTS headers as well.</p>';
$string['check_cookiesecure_error'] = 'Please enable secure cookies';
$string['check_cookiesecure_http'] = 'You must turn on https in order to use secure cookies';
$string['check_cookiesecure_name'] = 'Secure cookies';
$string['check_cookiesecure_ok'] = 'Secure cookies enabled.';
$string['check_defaultuserrole_details'] = '<p>All logged in users are given capabilities of the default user role. Please make sure no risky capabilities are allowed in this role.</p>
@ -76,11 +76,7 @@ $string['check_mediafilterswf_details'] = '<p>Automatic swf embedding is very da
$string['check_mediafilterswf_error'] = 'Flash media filter is enabled - this is very dangerous for the majority of servers.';
$string['check_mediafilterswf_name'] = 'Enabled .swf media filter';
$string['check_mediafilterswf_ok'] = 'Flash media filter is not enabled.';
$string['check_noauth_details'] = '<p>The <em>No authentication</em> plugin is not intended for production sites. Please disable it unless this is a development test site.</p>';
$string['check_noauth_error'] = 'The No authentication plugin cannot be used on production sites.';
$string['check_noauth_name'] = 'No authentication';
$string['check_noauth_ok'] = 'No authentication plugin is disabled.';
$string['check_nodemodules_details'] = '<p>The directory <em>{$a->path}</em> contains Node.js modules and their dependencies, typically installed by the NPM utility. These modules may be needed for local Moodle development, such as for using the grunt framework. They are not needed to run a Moodle site in production and they can contain potentially dangerous code exposing your site to remote attacks.</p><p>It is strongly recommended to remove the directory if the site is available via a public URL, or at least prohibit web access to it in your webserver configuration.</p>';
$string['check_nodemodules_details'] = '<p>The directory <code>{$a->path}</code> contains Node.js modules and their dependencies, typically installed by the NPM utility. These modules may be needed for local Moodle development, such as for using the grunt framework. They are not needed to run a Moodle site in production and they can contain potentially dangerous code exposing your site to remote attacks.</p><p>It is strongly recommended to remove the directory if the site is available via a public URL, or at least prohibit web access to it in your webserver configuration.</p>';
$string['check_nodemodules_info'] = 'The node_modules directory should not be present on public sites.';
$string['check_nodemodules_name'] = 'Node.js modules directory';
$string['check_openprofiles_details'] = 'Open user profiles can be abused by spammers. It is recommended that either <code>Force users to log in for profiles</code> or <code>Force users to log in</code> are enabled.';
@ -95,7 +91,7 @@ $string['check_passwordpolicy_ok'] = 'Password policy enabled.';
$string['check_preventexecpath_name'] = 'Executable paths';
$string['check_preventexecpath_ok'] = 'Executable paths only settable in config.php.';
$string['check_preventexecpath_warning'] = 'Executable paths can be set in the Admin GUI.';
$string['check_preventexecpath_details'] = '<p>Allowing executable paths to be set via the Admin GUI is a vector for privilege escalation.</p>';
$string['check_preventexecpath_details'] = '<p>Allowing executable paths to be set via the Admin GUI is a vector for privilege escalation. This must be forced in config.php:</p><p><code>$CFG->preventexecpath = true;<code></p>';
$string['check_riskadmin_detailsok'] = '<p>Please verify the following list of system administrators:</p>{$a}';
$string['check_riskadmin_detailswarning'] = '<p>Please verify the following list of system administrators:</p>{$a->admins}
@ -124,21 +120,16 @@ $string['check_unsecuredataroot_error'] = 'Your dataroot directory <code>{$a}</c
$string['check_unsecuredataroot_name'] = 'Insecure dataroot';
$string['check_unsecuredataroot_ok'] = 'Dataroot directory must not be accessible via the web.';
$string['check_unsecuredataroot_warning'] = 'Your dataroot directory <code>{$a}</code> is in the wrong location and might be exposed to the web.';
$string['check_vendordir_details'] = '<p>The directory <em>{$a->path}</em> contains various third-party libraries and their dependencies, typically installed by the PHP Composer. These libraries may be needed for local Moodle development, such as for installing the PHPUnit framework. They are not needed to run a Moodle site in production and they can contain potentially dangerous code exposing your site to remote attacks.</p><p>It is strongly recommended to remove the directory if the site is available via a public URL, or at least prohibit web access to it in your webserver configuration.</p>';
$string['check_vendordir_details'] = '<p>The directory <code>{$a->path}</code> contains various third-party libraries and their dependencies, typically installed by the PHP Composer. These libraries may be needed for local Moodle development, such as for installing the PHPUnit framework. They are not needed to run a Moodle site in production and they can contain potentially dangerous code exposing your site to remote attacks.</p><p>It is strongly recommended to remove the directory if the site is available via a public URL, or at least prohibit web access to it in your webserver configuration.</p>';
$string['check_vendordir_info'] = 'The vendor directory should not be present on public sites.';
$string['check_vendordir_name'] = 'Vendor directory';
$string['check_webcron_details'] = '<p>Running the cron from a web browser can expose privileged information to anonymous users. It is recommended to only run the cron from the command line or set a cron password for remote access.</p>';
$string['check_webcron_warning'] = 'Anonymous users can access cron.';
$string['check_webcron_name'] = 'Web cron';
$string['check_webcron_ok'] = 'Anonymous users can not access cron.';
$string['eventreportviewed'] = 'Viewed security check report';
$string['issue'] = 'Issue';
$string['pluginname'] = 'Security overview';
$string['pluginname'] = 'Security checks';
$string['security:view'] = 'View security report';
$string['status'] = 'Status';
$string['statuscritical'] = 'Critical';
$string['statusinfo'] = 'Information';
$string['statusok'] = 'OK';
$string['statusserious'] = 'Serious';
$string['statuswarning'] = 'Warning';
$string['timewarning'] = 'Data processing may take a long time, please be patient...';
$string['privacy:metadata'] = 'The Security overview plugin does not store any personal data.';

964
report/security/locallib.php

@ -1,964 +0,0 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Lib functions
*
* @package report
* @subpackage security
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
defined('MOODLE_INTERNAL') || die;
define('REPORT_SECURITY_OK', 'ok');
define('REPORT_SECURITY_INFO', 'info');
define('REPORT_SECURITY_WARNING', 'warning');
define('REPORT_SECURITY_SERIOUS', 'serious');
define('REPORT_SECURITY_CRITICAL', 'critical');
function report_security_hide_timearning() {
global $PAGE;
$PAGE->requires->js_init_code("Y.one('#timewarning').addClass('timewarninghidden')");
}
function report_security_get_issue_list() {
return array(
'report_security_check_unsecuredataroot',
'report_security_check_displayerrors',
'report_security_check_vendordir',
'report_security_check_nodemodules',
'report_security_check_noauth',
'report_security_check_embed',
'report_security_check_mediafilterswf',
'report_security_check_openprofiles',
'report_security_check_crawlers',
'report_security_check_passwordpolicy',
'report_security_check_emailchangeconfirmation',
'report_security_check_cookiesecure',
'report_security_check_configrw',
'report_security_check_riskxss',
'report_security_check_riskadmin',
'report_security_check_riskbackup',
'report_security_check_defaultuserrole',
'report_security_check_guestrole',
'report_security_check_frontpagerole',
'report_security_check_webcron',
'report_security_check_preventexecpath',
);
}
function report_security_doc_link($issue, $name) {
global $CFG, $OUTPUT;
if (empty($CFG->docroot)) {
return $name;
}
return $OUTPUT->doc_link('report/security/'.$issue, $name);
}
///=============================================
/// Issue checks
///=============================================
/**
* Verifies unsupported noauth setting
* @param bool $detailed
* @return object result
*/
function report_security_check_noauth($detailed=false) {
global $CFG;
$result = new stdClass();
$result->issue = 'report_security_check_noauth';
$result->name = get_string('check_noauth_name', 'report_security');
$result->info = null;
$result->details = null;
$result->status = null;
$result->link = null;
$result->link = "<a href=\"$CFG->wwwroot/$CFG->admin/settings.php?section=manageauths\">".get_string('authsettings', 'admin').'</a>';
if (is_enabled_auth('none')) {
$result->status = REPORT_SECURITY_CRITICAL;
$result->info = get_string('check_noauth_error', 'report_security');
} else {
$result->status = REPORT_SECURITY_OK;
$result->info = get_string('check_noauth_ok', 'report_security');
}
if ($detailed) {
$result->details = get_string('check_noauth_details', 'report_security');
}
return $result;
}
/**
* Verifies if password policy set
* @param bool $detailed
* @return object result
*/
function report_security_check_passwordpolicy($detailed=false) {
global $CFG;
$result = new stdClass();
$result->issue = 'report_security_check_passwordpolicy';
$result->name = get_string('check_passwordpolicy_name', 'report_security');
$result->info = null;
$result->details = null;
$result->status = null;
$result->link = "<a href=\"$CFG->wwwroot/$CFG->admin/settings.php?section=sitepolicies\">".get_string('sitepolicies', 'admin').'</a>';
if (empty($CFG->passwordpolicy)) {
$result->status = REPORT_SECURITY_WARNING;
$result->info = get_string('check_passwordpolicy_error', 'report_security');
} else {
$result->status = REPORT_SECURITY_OK;
$result->info = get_string('check_passwordpolicy_ok', 'report_security');
}
if ($detailed) {
$result->details = get_string('check_passwordpolicy_details', 'report_security');
}
return $result;
}
/**
* Verifies sloppy embedding - this should have been removed long ago!!
* @param bool $detailed
* @return object result
*/
function report_security_check_embed($detailed=false) {
global $CFG;
$result = new stdClass();
$result->issue = 'report_security_check_embed';
$result->name = get_string('check_embed_name', 'report_security');
$result->info = null;
$result->details = null;
$result->status = null;
$result->link = "<a href=\"$CFG->wwwroot/$CFG->admin/settings.php?section=sitepolicies\">".get_string('sitepolicies', 'admin').'</a>';
if (!empty($CFG->allowobjectembed)) {
$result->status = REPORT_SECURITY_CRITICAL;
$result->info = get_string('check_embed_error', 'report_security');
} else {
$result->status = REPORT_SECURITY_OK;
$result->info = get_string('check_embed_ok', 'report_security');
}
if ($detailed) {
$result->details = get_string('check_embed_details', 'report_security');
}
return $result;
}
/**
* Verifies sloppy swf embedding - this should have been removed long ago!!
* @param bool $detailed
* @return object result
*/
function report_security_check_mediafilterswf($detailed=false) {
global $CFG;
$result = new stdClass();
$result->issue = 'report_security_check_mediafilterswf';
$result->name = get_string('check_mediafilterswf_name', 'report_security');
$result->info = null;
$result->details = null;
$result->status = null;
$result->link = "<a href=\"$CFG->wwwroot/$CFG->admin/settings.php?section=managemediaplayers\">" .
get_string('managemediaplayers', 'media') . '</a>';
$activefilters = filter_get_globally_enabled();
$enabledmediaplayers = \core\plugininfo\media::get_enabled_plugins();
if (array_search('mediaplugin', $activefilters) !== false and array_key_exists('swf', $enabledmediaplayers)) {
$result->status = REPORT_SECURITY_CRITICAL;
$result->info = get_string('check_mediafilterswf_error', 'report_security');
} else {
$result->status = REPORT_SECURITY_OK;
$result->info = get_string('check_mediafilterswf_ok', 'report_security');
}
if ($detailed) {
$result->details = get_string('check_mediafilterswf_details', 'report_security');
}
return $result;
}
/**
* Verifies fatal misconfiguration of dataroot
* @param bool $detailed
* @return object result
*/
function report_security_check_unsecuredataroot($detailed=false) {
global $CFG;
$result = new stdClass();
$result->issue = 'report_security_check_unsecuredataroot';
$result->name = get_string('check_unsecuredataroot_name', 'report_security');
$result->info = null;
$result->details = null;
$result->status = null;
$result->link = null;
$insecuredataroot = is_dataroot_insecure(true);
if ($insecuredataroot == INSECURE_DATAROOT_WARNING) {
$result->status = REPORT_SECURITY_SERIOUS;
$result->info = get_string('check_unsecuredataroot_warning', 'report_security', $CFG->dataroot);
} else if ($insecuredataroot == INSECURE_DATAROOT_ERROR) {
$result->status = REPORT_SECURITY_CRITICAL;
$result->info = get_string('check_unsecuredataroot_error', 'report_security', $CFG->dataroot);
} else {
$result->status = REPORT_SECURITY_OK;
$result->info = get_string('check_unsecuredataroot_ok', 'report_security');
}
if ($detailed) {
$result->details = get_string('check_unsecuredataroot_details', 'report_security');
}
return $result;
}
/**
* Verifies displaying of errors - problem for lib files and 3rd party code
* because we can not disable debugging in these scripts (they do not include config.php)
* @param bool $detailed
* @return object result
*/
function report_security_check_displayerrors($detailed=false) {
$result = new stdClass();
$result->issue = 'report_security_check_displayerrors';
$result->name = get_string('check_displayerrors_name', 'report_security');
$result->info = null;
$result->details = null;
$result->status = null;
$result->link = null;
if (defined('WARN_DISPLAY_ERRORS_ENABLED')) {
$result->status = REPORT_SECURITY_WARNING;
$result->info = get_string('check_displayerrors_error', 'report_security');
} else {
$result->status = REPORT_SECURITY_OK;
$result->info = get_string('check_displayerrors_ok', 'report_security');
}
if ($detailed) {
$result->details = get_string('check_displayerrors_details', 'report_security');
}
return $result;
}
/**
* Verifies open profiles - originally open by default, not anymore because spammer abused it a lot
* @param bool $detailed
* @return object result
*/
function report_security_check_openprofiles($detailed=false) {
global $CFG;
$result = new stdClass();
$result->issue = 'report_security_check_openprofiles';
$result->name = get_string('check_openprofiles_name', 'report_security');
$result->info = null;
$result->details = null;
$result->status = null;
$result->link = "<a href=\"$CFG->wwwroot/$CFG->admin/settings.php?section=sitepolicies\">".get_string('sitepolicies', 'admin').'</a>';
if (empty($CFG->forcelogin) and empty($CFG->forceloginforprofiles)) {
$result->status = REPORT_SECURITY_WARNING;
$result->info = get_string('check_openprofiles_error', 'report_security');
} else {
$result->status = REPORT_SECURITY_OK;
$result->info = get_string('check_openprofiles_ok', 'report_security');
}
if ($detailed) {
$result->details = get_string('check_openprofiles_details', 'report_security');
}
return $result;
}
/**
* Verifies web crawler (search engine) access not combined with disabled guest access
* because attackers might gain guest access by modifying browser signature.
* @param bool $detailed
* @return object result
*/
function report_security_check_crawlers($detailed=false) {
global $CFG;
$result = new stdClass();
$result->issue = 'report_security_check_crawlers';
$result->name = get_string('check_crawlers_name', 'report_security');
$result->info = null;
$result->details = null;
$result->status = null;
$result->link = "<a href=\"$CFG->wwwroot/$CFG->admin/settings.php?section=sitepolicies\">".get_string('sitepolicies', 'admin').'</a>';
if (empty($CFG->opentowebcrawlers)) {
$result->status = REPORT_SECURITY_OK;
$result->info = get_string('check_crawlers_ok', 'report_security');
} else if (!empty($CFG->guestloginbutton)) {
$result->status = REPORT_SECURITY_INFO;
$result->info = get_string('check_crawlers_info', 'report_security');
} else {
$result->status = REPORT_SECURITY_SERIOUS;
$result->info = get_string('check_crawlers_error', 'report_security');
}
if ($detailed) {
$result->details = get_string('check_crawlers_details', 'report_security');
}
return $result;
}
/**
* Verifies email confirmation - spammers were changing mails very often
* @param bool $detailed
* @return object result
*/
function report_security_check_emailchangeconfirmation($detailed=false) {
global $CFG;
$result = new stdClass();
$result->issue = 'report_security_check_emailchangeconfirmation';
$result->name = get_string('check_emailchangeconfirmation_name', 'report_security');
$result->info = null;
$result->details = null;
$result->status = null;
$result->link = "<a href=\"$CFG->wwwroot/$CFG->admin/settings.php?section=sitepolicies\">".get_string('sitepolicies', 'admin').'</a>';
if (empty($CFG->emailchangeconfirmation)) {
if (empty($CFG->allowemailaddresses)) {
$result->status = REPORT_SECURITY_WARNING;
$result->info = get_string('check_emailchangeconfirmation_error', 'report_security');
} else {
$result->status = REPORT_SECURITY_INFO;
$result->info = get_string('check_emailchangeconfirmation_info', 'report_security');
}
} else {
$result->status = REPORT_SECURITY_OK;
$result->info = get_string('check_emailchangeconfirmation_ok', 'report_security');
}
if ($detailed) {
$result->details = get_string('check_emailchangeconfirmation_details', 'report_security');
}
return $result;
}
/**
* Verifies if https enabled only secure cookies allowed,
* this prevents redirections and sending of cookies to unsecure port.
* @param bool $detailed
* @return object result
*/
function report_security_check_cookiesecure($detailed=false) {
global $CFG;
if (!is_https()) {
return null;
}
$result = new stdClass();
$result->issue = 'report_security_check_cookiesecure';
$result->name = get_string('check_cookiesecure_name', 'report_security');
$result->info = null;
$result->details = null;
$result->status = null;
$result->link = "<a href=\"$CFG->wwwroot/$CFG->admin/settings.php?section=httpsecurity\">".get_string('httpsecurity', 'admin').'</a>';
if (!is_moodle_cookie_secure()) {
$result->status = REPORT_SECURITY_SERIOUS;
$result->info = get_string('check_cookiesecure_error', 'report_security');
} else {
$result->status = REPORT_SECURITY_OK;
$result->info = get_string('check_cookiesecure_ok', 'report_security');
}
if ($detailed) {
$result->details = get_string('check_cookiesecure_details', 'report_security');
}
return $result;
}
/**
* Verifies config.php is not writable anymore after installation,
* config files were changed on several outdated server.
* @param bool $detailed
* @return object result
*/
function report_security_check_configrw($detailed=false) {
global $CFG;
$result = new stdClass();
$result->issue = 'report_security_check_configrw';
$result->name = get_string('check_configrw_name', 'report_security');
$result->info = null;
$result->details = null;
$result->status = null;
$result->link = null;
if (is_writable($CFG->dirroot.'/config.php')) {
$result->status = REPORT_SECURITY_WARNING;
$result->info = get_string('check_configrw_warning', 'report_security');
} else {
$result->status = REPORT_SECURITY_OK;
$result->info = get_string('check_configrw_ok', 'report_security');
}
if ($detailed) {
$result->details = get_string('check_configrw_details', 'report_security');
}
return $result;
}
/**
* Lists all users with XSS risk, it would be great to combine this with risk trusts in user table,
* unfortunately nobody implemented user trust UI yet :-(
* @param bool $detailed
* @return object result
*/
function report_security_check_riskxss($detailed=false) {
global $DB;
$result = new stdClass();
$result->issue = 'report_security_check_riskxss';
$result->name = get_string('check_riskxss_name', 'report_security');
$result->info = null;
$result->details = null;
$result->status = REPORT_SECURITY_WARNING;
$result->link = null;
$params = array('capallow'=>CAP_ALLOW);
$sqlfrom = "FROM (SELECT DISTINCT rcx.contextid, rcx.roleid
FROM {role_capabilities} rcx
JOIN {capabilities} cap ON (cap.name = rcx.capability AND ".$DB->sql_bitand('cap.riskbitmask', RISK_XSS)." <> 0)
WHERE rcx.permission = :capallow) rc,
{context} c,
{context} sc,
{role_assignments} ra,
{user} u
WHERE c.id = rc.contextid
AND (sc.path = c.path OR sc.path LIKE ".$DB->sql_concat('c.path', "'/%'")." OR c.path LIKE ".$DB->sql_concat('sc.path', "'/%'").")
AND u.id = ra.userid AND u.deleted = 0
AND ra.contextid = sc.id AND ra.roleid = rc.roleid";
$count = $DB->count_records_sql("SELECT COUNT(DISTINCT u.id) $sqlfrom", $params);
$result->info = get_string('check_riskxss_warning', 'report_security', $count);
if ($detailed) {
$userfields = user_picture::fields('u');
$users = $DB->get_records_sql("SELECT DISTINCT $userfields $sqlfrom", $params);
foreach ($users as $uid=>$user) {
$users[$uid] = fullname($user);
}
$users = implode(', ', $users);
$result->details = get_string('check_riskxss_details', 'report_security', $users);
}
return $result;
}
/**
* Verifies sanity of default user role.
* @param bool $detailed
* @return object result
*/
function report_security_check_defaultuserrole($detailed=false) {
global $DB, $CFG;
$result = new stdClass();
$result->issue = 'report_security_check_defaultuserrole';
$result->name = get_string('check_defaultuserrole_name', 'report_security');
$result->info = null;
$result->details = null;
$result->status = null;
$result->link = "<a href=\"$CFG->wwwroot/$CFG->admin/settings.php?section=userpolicies\">".get_string('userpolicies', 'admin').'</a>';
if (!$default_role = $DB->get_record('role', array('id'=>$CFG->defaultuserroleid))) {
$result->status = REPORT_SECURITY_WARNING;
$result->info = get_string('check_defaultuserrole_notset', 'report_security');
$result->details = $result->info;
return $result;
}
// risky caps - usually very dangerous
$params = array('capallow'=>CAP_ALLOW, 'roleid'=>$default_role->id);
$sql = "SELECT COUNT(DISTINCT rc.contextid)
FROM {role_capabilities} rc
JOIN {capabilities} cap ON cap.name = rc.capability
WHERE ".$DB->sql_bitand('cap.riskbitmask', (RISK_XSS | RISK_CONFIG | RISK_DATALOSS))." <> 0
AND rc.permission = :capallow
AND rc.roleid = :roleid";
$riskycount = $DB->count_records_sql($sql, $params);
// it may have either none or 'user' archetype - nothing else, or else it would break during upgrades badly
if ($default_role->archetype === '' or $default_role->archetype === 'user') {
$legacyok = true;
} else {
$legacyok = false;
}
if ($riskycount or !$legacyok) {
$result->status = REPORT_SECURITY_CRITICAL;
$result->info = get_string('check_defaultuserrole_error', 'report_security', role_get_name($default_role));
} else {
$result->status = REPORT_SECURITY_OK;
$result->info = get_string('check_defaultuserrole_ok', 'report_security');
}
if ($detailed) {
$result->details = get_string('check_defaultuserrole_details', 'report_security');
}
return $result;
}
/**
* Verifies sanity of guest role
* @param bool $detailed
* @return object result
*/
function report_security_check_guestrole($detailed=false) {
global $DB, $CFG;
$result = new stdClass();
$result->issue = 'report_security_check_guestrole';
$result->name = get_string('check_guestrole_name', 'report_security');
$result->info = null;
$result->details = null;
$result->status = null;
$result->link = "<a href=\"$CFG->wwwroot/$CFG->admin/settings.php?section=userpolicies\">".get_string('userpolicies', 'admin').'</a>';
if (!$guest_role = $DB->get_record('role', array('id'=>$CFG->guestroleid))) {
$result->status = REPORT_SECURITY_WARNING;
$result->info = get_string('check_guestrole_notset', 'report_security');
$result->details = $result->info;
return $result;
}
// risky caps - usually very dangerous
$params = array('capallow'=>CAP_ALLOW, 'roleid'=>$guest_role->id);
$sql = "SELECT COUNT(DISTINCT rc.contextid)
FROM {role_capabilities} rc
JOIN {capabilities} cap ON cap.name = rc.capability
WHERE ".$DB->sql_bitand('cap.riskbitmask', (RISK_XSS | RISK_CONFIG | RISK_DATALOSS))." <> 0
AND rc.permission = :capallow
AND rc.roleid = :roleid";
$riskycount = $DB->count_records_sql($sql, $params);
// it may have either no or 'guest' archetype - nothing else, or else it would break during upgrades badly
if ($guest_role->archetype === '' or $guest_role->archetype === 'guest') {
$legacyok = true;
} else {
$legacyok = false;
}
if ($riskycount or !$legacyok) {
$result->status = REPORT_SECURITY_CRITICAL;
$result->info = get_string('check_guestrole_error', 'report_security', format_string($guest_role->name));
} else {
$result->status = REPORT_SECURITY_OK;
$result->info = get_string('check_guestrole_ok', 'report_security');
}
if ($detailed) {
$result->details = get_string('check_guestrole_details', 'report_security');
}
return $result;
}
/**
* Verifies sanity of frontpage role
* @param bool $detailed
* @return object result
*/
function report_security_check_frontpagerole($detailed=false) {
global $DB, $CFG;
$result = new stdClass();
$result->issue = 'report_security_check_frontpagerole';
$result->name = get_string('check_frontpagerole_name', 'report_security');
$result->info = null;
$result->details = null;
$result->status = null;
$result->link = "<a href=\"$CFG->wwwroot/$CFG->admin/settings.php?section=frontpagesettings\">".get_string('frontpagesettings','admin').'</a>';
if (!$frontpage_role = $DB->get_record('role', array('id'=>$CFG->defaultfrontpageroleid))) {
$result->status = REPORT_SECURITY_INFO;
$result->info = get_string('check_frontpagerole_notset', 'report_security');
$result->details = get_string('check_frontpagerole_details', 'report_security');
return $result;
}
// risky caps - usually very dangerous
$params = array('capallow'=>CAP_ALLOW, 'roleid'=>$frontpage_role->id);
$sql = "SELECT COUNT(DISTINCT rc.contextid)
FROM {role_capabilities} rc
JOIN {capabilities} cap ON cap.name = rc.capability
WHERE ".$DB->sql_bitand('cap.riskbitmask', (RISK_XSS | RISK_CONFIG | RISK_DATALOSS))." <> 0
AND rc.permission = :capallow
AND rc.roleid = :roleid";
$riskycount = $DB->count_records_sql($sql, $params);
// there is no legacy role type for frontpage yet - anyway we can not allow teachers or admins there!
if ($frontpage_role->archetype === 'teacher' or $frontpage_role->archetype === 'editingteacher'
or $frontpage_role->archetype === 'coursecreator' or $frontpage_role->archetype === 'manager') {
$legacyok = false;
} else {
$legacyok = true;
}
if ($riskycount or !$legacyok) {
$result->status = REPORT_SECURITY_CRITICAL;
$result->info = get_string('check_frontpagerole_error', 'report_security', role_get_name($frontpage_role));
} else {
$result->status = REPORT_SECURITY_OK;
$result->info = get_string('check_frontpagerole_ok', 'report_security');
}
if ($detailed) {
$result->details = get_string('check_frontpagerole_details', 'report_security');
}
return $result;
}
/**
* Lists all admins.
* @param bool $detailed
* @return object result
*/
function report_security_check_riskadmin($detailed=false) {
global $DB, $CFG;
$result = new stdClass();
$result->issue = 'report_security_check_riskadmin';
$result->name = get_string('check_riskadmin_name', 'report_security');
$result->info = null;
$result->details = null;
$result->status = null;
$result->link = null;
$userfields = user_picture::fields('u');
$sql = "SELECT $userfields
FROM {user} u
WHERE u.id IN ($CFG->siteadmins)";
$admins = $DB->get_records_sql($sql);
$admincount = count($admins);
if ($detailed) {
foreach ($admins as $uid=>$user) {
$url = "$CFG->wwwroot/user/view.php?id=$user->id";
$admins[$uid] = '<li><a href="'.$url.'">' . fullname($user, true) . ' (' . s($user->email) . ')</a></li>';
}
$admins = '<ul>'.implode('', $admins).'</ul>';
}
$result->status = REPORT_SECURITY_OK;
$result->info = get_string('check_riskadmin_ok', 'report_security', $admincount);
if ($detailed) {
$result->details = get_string('check_riskadmin_detailsok', 'report_security', $admins);
}
return $result;
}
/**
* Lists all roles that have the ability to backup user data, as well as users
* @param bool $detailed
* @return object result
*/
function report_security_check_riskbackup($detailed=false) {
global $CFG, $DB;
$result = new stdClass();
$result->issue = 'report_security_check_riskbackup';
$result->name = get_string('check_riskbackup_name', 'report_security');
$result->info = null;
$result->details = null;
$result->status = null;
$result->link = null;
$syscontext = context_system::instance();
$params = array('capability'=>'moodle/backup:userinfo', 'permission'=>CAP_ALLOW, 'contextid'=>$syscontext->id);
$sql = "SELECT DISTINCT r.id, r.name, r.shortname, r.sortorder, r.archetype
FROM {role} r
JOIN {role_capabilities} rc ON rc.roleid = r.id
WHERE rc.capability = :capability
AND rc.contextid = :contextid
AND rc.permission = :permission";
$systemroles = $DB->get_records_sql($sql, $params);
$params = array('capability'=>'moodle/backup:userinfo', 'permission'=>CAP_ALLOW, 'contextid'=>$syscontext->id);
$sql = "SELECT DISTINCT r.id, r.name, r.shortname, r.sortorder, r.archetype, rc.contextid
FROM {role} r
JOIN {role_capabilities} rc ON rc.roleid = r.id
WHERE rc.capability = :capability
AND rc.contextid <> :contextid
AND rc.permission = :permission";
$overriddenroles = $DB->get_records_sql($sql, $params);
// list of users that are able to backup personal info
// note: "sc" is context where is role assigned,
// "c" is context where is role overridden or system context if in role definition
$params = array('capability'=>'moodle/backup:userinfo', 'permission'=>CAP_ALLOW, 'context1'=>CONTEXT_COURSE, 'context2'=>CONTEXT_COURSE);
$sqluserinfo = "
FROM (SELECT DISTINCT rcx.contextid, rcx.roleid
FROM {role_capabilities} rcx
WHERE rcx.permission = :permission AND rcx.capability = :capability) rc,
{context} c,
{context} sc,
{role_assignments} ra,
{user} u
WHERE c.id = rc.contextid
AND (sc.path = c.path OR sc.path LIKE ".$DB->sql_concat('c.path', "'/%'")." OR c.path LIKE ".$DB->sql_concat('sc.path', "'/%'").")
AND u.id = ra.userid AND u.deleted = 0
AND ra.contextid = sc.id AND ra.roleid = rc.roleid
AND sc.contextlevel <= :context1 AND c.contextlevel <= :context2";
$usercount = $DB->count_records_sql("SELECT COUNT('x') FROM (SELECT DISTINCT u.id $sqluserinfo) userinfo", $params);
$systemrolecount = empty($systemroles) ? 0 : count($systemroles);
$overriddenrolecount = empty($overriddenroles) ? 0 : count($overriddenroles);
if (max($usercount, $systemrolecount, $overriddenrolecount) > 0) {
$result->status = REPORT_SECURITY_WARNING;
} else {
$result->status = REPORT_SECURITY_OK;
}
$a = (object)array('rolecount'=>$systemrolecount,'overridecount'=>$overriddenrolecount,'usercount'=>$usercount);
$result->info = get_string('check_riskbackup_warning', 'report_security', $a);
if ($detailed) {
$result->details = ''; // Will be added to later
// Make a list of roles
if ($systemroles) {
$links = array();
foreach ($systemroles as $role) {
$role->name = role_get_name($role);
$role->url = "$CFG->wwwroot/$CFG->admin/roles/manage.php?action=edit&amp;roleid=$role->id";
$links[] = '<li>'.get_string('check_riskbackup_editrole', 'report_security', $role).'</li>';
}
$links = '<ul>'.implode($links).'</ul>';
$result->details .= get_string('check_riskbackup_details_systemroles', 'report_security', $links);
}
// Make a list of overrides to roles
$rolelinks2 = array();
if ($overriddenroles) {
$links = array();
foreach ($overriddenroles as $role) {
$role->name = $role->localname;
$context = context::instance_by_id($role->contextid);
$role->name = role_get_name($role, $context, ROLENAME_BOTH);
$role->contextname = $context->get_context_name();
$role->url = "$CFG->wwwroot/$CFG->admin/roles/override.php?contextid=$role->contextid&amp;roleid=$role->id";
$links[] = '<li>'.get_string('check_riskbackup_editoverride', 'report_security', $role).'</li>';
}
$links = '<ul>'.implode('', $links).'</ul>';
$result->details .= get_string('check_riskbackup_details_overriddenroles', 'report_security', $links);
}
// Get a list of affected users as well
$users = array();
list($sort, $sortparams) = users_order_by_sql('u');
$userfields = user_picture::fields('u');
$rs = $DB->get_recordset_sql("SELECT DISTINCT $userfields, ra.contextid, ra.roleid
$sqluserinfo ORDER BY $sort", array_merge($params, $sortparams));
foreach ($rs as $user) {
$context = context::instance_by_id($user->contextid);
$url = "$CFG->wwwroot/$CFG->admin/roles/assign.php?contextid=$user->contextid&amp;roleid=$user->roleid";
$a = (object)array('fullname'=>fullname($user), 'url'=>$url, 'email'=>s($user->email),
'contextname'=>$context->get_context_name());
$users[] = '<li>'.get_string('check_riskbackup_unassign', 'report_security', $a).'</li>';
}
$rs->close();
if (!empty($users)) {
$users = '<ul>'.implode('', $users).'</ul>';
$result->details .= get_string('check_riskbackup_details_users', 'report_security', $users);
}
}
return $result;
}
/**
* Verifies the status of web cron
*
* @param bool $detailed
* @return object result
*/
function report_security_check_webcron($detailed = false) {
global $CFG;
$croncli = $CFG->cronclionly;
$cronremotepassword = $CFG->cronremotepassword;
$result = new stdClass();
$result->issue = 'report_security_check_webcron';
$result->name = get_string('check_webcron_name', 'report_security');
$result->details = null;
$result->link = "<a href=\"$CFG->wwwroot/$CFG->admin/settings.php?section=sitepolicies\">"
.get_string('sitepolicies', 'admin').'</a>';
if (empty($croncli) && empty($cronremotepassword)) {
$result->status = REPORT_SECURITY_WARNING;
$result->info = get_string('check_webcron_warning', 'report_security');
} else {
$result->status = REPORT_SECURITY_OK;
$result->info = get_string('check_webcron_ok', 'report_security');
}
if ($detailed) {
$result->details = get_string('check_webcron_details', 'report_security');
}
return $result;
}
/**
* Verifies the status of preventexecpath
*
* @param bool $detailed
* @return object result
*/
function report_security_check_preventexecpath($detailed = false) {
global $CFG;
$result = new stdClass();
$result->issue = 'report_security_check_preventexecpath';
$result->name = get_string('check_preventexecpath_name', 'report_security');
$result->details = null;
$result->link = null;
if (empty($CFG->preventexecpath)) {
$result->status = REPORT_SECURITY_WARNING;
$result->info = get_string('check_preventexecpath_warning', 'report_security');
if ($detailed) {
$result->details = get_string('check_preventexecpath_details', 'report_security');
}
} else {
$result->status = REPORT_SECURITY_OK;
$result->info = get_string('check_preventexecpath_ok', 'report_security');
}
return $result;
}
/**
* Check the presence of the vendor directory.
*
* @param bool $detailed Return detailed info.
* @return object Result data.
*/
function report_security_check_vendordir($detailed = false) {
global $CFG;
$result = (object)[
'issue' => 'report_security_check_vendordir',
'name' => get_string('check_vendordir_name', 'report_security'),
'info' => get_string('check_vendordir_info', 'report_security'),
'details' => null,
'status' => null,
'link' => null,
];
if (is_dir($CFG->dirroot.'/vendor')) {
$result->status = REPORT_SECURITY_WARNING;
} else {
$result->status = REPORT_SECURITY_OK;
}
if ($detailed) {
$result->details = get_string('check_vendordir_details', 'report_security', ['path' => $CFG->dirroot.'/vendor']);
}
return $result;
}
/**
* Check the presence of the node_modules directory.
*
* @param bool $detailed Return detailed info.
* @return object Result data.
*/
function report_security_check_nodemodules($detailed = false) {
global $CFG;
$result = (object)[
'issue' => 'report_security_check_nodemodules',
'name' => get_string('check_nodemodules_name', 'report_security'),
'info' => get_string('check_nodemodules_info', 'report_security'),
'details' => null,
'status' => null,
'link' => null,
];
if (is_dir($CFG->dirroot.'/node_modules')) {
$result->status = REPORT_SECURITY_WARNING;
} else {
$result->status = REPORT_SECURITY_OK;
}
if ($detailed) {
$result->details = get_string('check_nodemodules_details', 'report_security', ['path' => $CFG->dirroot.'/node_modules']);
}
return $result;
}

8
report/security/settings.php

@ -17,15 +17,15 @@
/**
* Settings and links
*
* @package report
* @subpackage security
* @package report_security
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
defined('MOODLE_INTERNAL') || die;
$ADMIN->add('reports', new admin_externalpage('reportsecurity', get_string('pluginname', 'report_security'), "$CFG->wwwroot/report/security/index.php",'report/security:view'));
$ADMIN->add('reports', new admin_externalpage('reportsecurity', get_string('pluginname', 'report_security'),
"$CFG->wwwroot/report/security/index.php", 'report/security:view'));
// no report settings
// No report settings.
$settings = null;

7
report/security/version.php

@ -17,14 +17,13 @@
/**
* Version info
*
* @package report
* @subpackage security
* @package report_security
* @copyright 2011 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
defined('MOODLE_INTERNAL') || die;
$plugin->version = 2019111800; // The current plugin version (Date: YYYYMMDDXX)
$plugin->version = 2019111801; // The current plugin version (Date: YYYYMMDDXX)
$plugin->requires = 2019111200; // Requires this Moodle version
$plugin->component = 'report_security'; // Full name of the plugin (used for diagnostics)
$plugin->component = 'report_security'; // Full name of the plugin (used for diagnostics).