The Drupal project partnered with OSTIF for a series of audits on key technology to support supply chain security for automatic updates. Specifically, the PHP-TUF client-side library and its server-side Rugged counterpart underwent a security audit by Include Security organized by OSTIF. The Update Framework (or “TUF”) is a cryptographically-secure file sharing open source project, and PHP-TUF and Rugged implement that framework in the PHP language to help deliver Drupal package updates, and hopefully updates for other projects in the PHP ecosystem. Supplementary to performing threat modeling and a CI/CD pipeline and code review, Include Security also performed a specification compliance review for PHP-TUF against its parent project in preparation for its future release. 

First undertaken was the creation of threat model documentation, including: a diagram of the PHP-TUF functions and trust borders, diagrams of Rugged and PHP-TUF threat actors with recommendations for mitigation, and descriptions of the project’s architecture. Having established a map of the project’s functions, Include Security reviewed existing automated security testing of the CI/CD pipeline for both PHP-TUF and Rugged. In total, 7 findings with a security impact were reported by this audit- the highest-risk was graded a medium vulnerability, with similarities to a CVE reported in Python-TUF in 2021 (CVE-2021-41131). The medium finding in PHP-TUF revealed that the project did not prevent path traversal attacks, which could result in malicious file writes outside the TUF metadata directory. The other 6 findings were considered low/informational to the project’s security. 

As this audit was on a project and its repository not yet published for the general public, there was a lot of testing and review that resulted in further recommendations. For example, originally planned was the possible inclusion of static analysis tools with the incorporation of the CI/CD pipeline onto OSS-Fuzz. However, upon reviewing the pipelines of both PHP-TUF and Rugged, the Include team felt the best recommendation for the project was to instead recommend further actions the project can take to improve their security that are a better use of time and resources. Holistic engagements like this one often result in more specialized and less common security recommendations for projects that are tailored to the exact needs and functions of a project, rather than rubber-stamping typical actions that might be too early in a project’s lifespan to be of help. 

As a result of this work, the Drupal team is now able to proceed with the final phases of development so they can bring secure automatic updates to their community in the near future. 

OSTIF would like to thank the developers and those at the Drupal Association, specifically Tim Lehnen for their work on this audit and the project as it comes to the finish line. Without their funding and contributions, this engagement would not have been possible. Further gratitude is extended to the Include Security team for their hard work and contributions to this project and open source security. Final thanks goes to the Drupal Foundation for their fiscal support of this work.

Read the audit report HERE