Recognizing Insecure Drupal Code
And, why you shouldn't allow users to input a SQL operator!
09.01.2010 Technology and Innovation
Hey geeks, meet Watershed Now!, our first Drupal distribution.
You can read our non-geek post to learn more about what Watershed Now! does. What Watershed Now! is is a Drupal 6.x installation profile coupled with a few custom modules, a few custom parent-child themes, and some nifty features. We literally just tagged our first 0.1 release of Watershed Now! on GitHub this morning. It’s buggy and incomplete - but it’s just good enough that we are going to use this tag as the starting point for one of our customers - and in doing so we will drop the cost of development for the site by 300%, while increasing our own profitability on the project.
Our experience using the usual suspects for building Drupal distros (installation profiles, context, boxes, ctools, strongarm, and features) has been interesting to say the least. Features in particular has made a lot of codifying config easy, while also resulting in a lot of little headaches working around niggly bits of config that just don’t want to make there way into code (WYSIWYG imagefield settings on an imagefield cck field being one of those little bits that just doesn’t want to work for me this morning…). Avoiding circular dependences between features that interact with each other or share/compete for strongarm settings has also been a bit of a challenge. All of this is new and there just doesn’t seem to be a definitive best practice to fall back on when cobbling everything together.
In terms of writing installation profiles, reading through Development Seed’s .profile files for OpenAtrium and Managing News has been tremendously helpful, as has been taking advantage of Boris Mann’s Install Profile API module - which provides a host of API calls for creating/manipulating nodes, user accounts, roles, permissions, menus, taxonomies, etc., on build.
Our next step in this adventure will be to start using Hudson for continuous integration of the distro’s build process. (We learned a ton from this screencast.) Hopefully we’ll get to the point soon where we can afford to automate our testing of the distro with SimpleTest. But for now, we’ll be using Hudson on a testing server to perform scratch builds on a GitHub commit hook - which will save us hours of starting at Drupal install screens locally every time we want to test changes to our installation process.
Admittedly, we’ve got a bit more work to go with Hudson. Setting it up to work with Drush is actually a pretty easy process on Ubuntu (our preferred distro), as Hudson (which runs on a Java server) can be installed via .deb package management. But the process and configuration of all these tools isn’t the best documented yet (we wanta help change that…) and takes research and a lot of trial and error. And as far as we call tell, the best if not only way to run an installation profile via Drush at the command line in D6.x is to install Aegir and leverage it’s backend, Provision. (Drush for D7.x provides a simple “installsite” command that cuts out this step.)
We’ve taken a lot of inspiration from Development Seed’s writing on the concept of How to sell your milk when the cow is free. As a smaller Drupal shop, I don’t know if/when building a targeted Drupal release for a niche nonprofit vertical like watershed conservation will actually make us more profitable financially. This summer we’ve invested well over a hundred unbillable hours abstracting out tools that we’ve been building for river conservation clients. We’ve got at least another 200 hours of polish before Watershed Now is a point-and-click installation even remotely comparable to Managing News. And then we’ve got to consider the marketing hours (like this blog post) and the support time that keeping this project going will take.
There is risk and significant opportunity costs for us in this project. But having done “the consulting thing” for ten years and having built fifty-plus Drupal websites for nonprofits over the last 5 years, I’m personally excited about creating this opportunity to invest in making something on the web consistently better, the opportunity to continually explore what’s possible for my heroes in the conservation movement, and the opportunity to reduce the costs of technology so that ThinkShout can sustainably reach more organizations out there on the front lines of advocacy and community improvement.
Questions? Comments? We want to know! Drop us a line and let’s start talking.Learn More