3 namespace Drupal\security_review\Checks;
5 use Drupal\Core\Logger\RfcLogLevel;
6 use Drupal\security_review\Check;
7 use Drupal\security_review\CheckResult;
10 * Checks for abundant query errors.
12 class QueryErrors extends Check {
17 public function getNamespace() {
18 return 'Security Review';
24 public function getTitle() {
25 return 'Query errors';
31 public function run() {
32 // If dblog is not enabled return with hidden INFO.
33 if (!$this->moduleHandler()->moduleExists('dblog')) {
34 return $this->createResult(CheckResult::INFO, [], FALSE);
37 $result = CheckResult::SUCCESS;
39 $last_result = $this->lastResult();
43 $query = $this->database()->select('watchdog', 'w');
52 $query->condition('type', 'php')->condition('severity', RfcLogLevel::ERROR);
53 if ($last_result instanceof CheckResult) {
54 // Only check entries that got recorded since the last run of the check.
55 $query->condition('timestamp', $last_result->time(), '>=');
59 $db_result = $query->execute();
61 // Count the number of query errors per IP.
63 foreach ($db_result as $row) {
65 if ($row->variables === 'N;') {
66 $message = $row->message;
69 $message = $this->t($row->message, unserialize($row->variables));
75 // Search for query errors.
76 $message_contains_sql = strpos($message, 'SQL') !== FALSE;
77 $message_contains_select = strpos($message, 'SELECT') !== FALSE;
78 if ($message_contains_sql && $message_contains_select) {
79 $entry_for_ip = &$entries[$ip];
81 if (!isset($entry_for_ip)) {
88 // Filter the IPs with more than 10 query errors.
89 if (!empty($entries)) {
90 foreach ($entries as $ip => $count) {
97 if (!empty($findings)) {
98 $result = CheckResult::FAIL;
102 return $this->createResult($result, $findings, $visible);
108 public function help() {
110 $paragraphs[] = $this->t('Database errors triggered from the same IP may be an artifact of a malicious user attempting to probe the system for weaknesses like SQL injection or information disclosure.');
113 '#theme' => 'check_help',
114 '#title' => $this->t('Abundant query errors from the same IP'),
115 '#paragraphs' => $paragraphs,
122 public function evaluate(CheckResult $result) {
123 $findings = $result->findings();
124 if (empty($findings)) {
129 $paragraphs[] = $this->t('The following IPs were observed with an abundance of query errors.');
132 '#theme' => 'check_evaluation',
133 '#paragraphs' => $paragraphs,
134 '#items' => $result->findings(),
141 public function evaluatePlain(CheckResult $result) {
142 $findings = $result->findings();
143 if (empty($findings)) {
147 $output = $this->t('Suspicious IP addresses:') . ":\n";
148 foreach ($findings as $ip) {
149 $output .= "\t" . $ip . "\n";
158 public function getMessage($result_const) {
159 switch ($result_const) {
160 case CheckResult::FAIL:
161 return $this->t('Query errors from the same IP. These may be a SQL injection attack or an attempt at information disclosure.');
164 return $this->t('Unexpected result.');