<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 11, 2015 at 1:22 PM, Wes Turner <span dir="ltr"><<a href="mailto:wes.turner@gmail.com" target="_blank">wes.turner@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On Tue, Aug 11, 2015 at 12:52 PM, Wes Turner <span dir="ltr"><<a href="mailto:wes.turner@gmail.com" target="_blank">wes.turner@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">... I'm now -1000 on this.<div><br></div><div><span style="font-size:12.8000001907349px">~"Make it hard to do wrong; or easy to do correctly"</span><br></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">... Here are these, (which should also not be used for porting shell scripts to python): <a href="http://jinja.pocoo.org/docs/dev/templates/#expressions" target="_blank">http://jinja.pocoo.org/docs/dev/templates/#expressions</a></span></div></div></blockquote><div><br></div></span><div><div>So, again, I am </div><div>-1000 on (both of these PEPs)</div><div>because they are just another way of making it too easy to do the wrong thing.</div><div><br></div><div>* #1 most prevalent security vulnerability:</div><div><table border="1" cellpadding="1" cellspacing="1" width="100%" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,Geneva,sans-serif;font-size:medium"><tbody><tr><td style="font-family:Verdana,Arial,Helvetica,Geneva,sans-serif;background-color:rgb(221,226,245)!important"><b><font size="+5">1</font></b></td><td style="font-family:Verdana,Arial,Helvetica,Geneva,sans-serif;background-color:rgb(238,238,238)"><font size="+1"><b><a href="http://cwe.mitre.org/data/definitions/89.html" style="color:rgb(0,0,102)" target="_blank">CWE-89</a>: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</b></font></td></tr></tbody></table></div><div><br></div><div> * ORM with parametrization, quoting, escaping and lists of reserved words </div><div> * SQLAlchemy</div><div><br></div><div>* #2 most prevalent security vulnerability:</div><table border="1" cellpadding="1" cellspacing="1" width="100%" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,Geneva,sans-serif;font-size:medium"><tbody><tr><td style="font-family:Verdana,Arial,Helvetica,Geneva,sans-serif;background-color:rgb(221,226,245)!important"><b><font size="+5">2</font></b></td><td style="font-family:Verdana,Arial,Helvetica,Geneva,sans-serif;background-color:rgb(238,238,238)"><font size="+1"><b><a href="http://cwe.mitre.org/data/definitions/78.html" style="color:rgb(0,0,102)" target="_blank">CWE-78</a>: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')</b></font></td></tr></tbody></table><div><br></div><div> * Command preparation library (which builds a tuple() for exec)</div><div> * Sarge, subprocess.call(shell=False=0) </div></div><div><br></div><div><br></div><div>- [ ] DOC: (Something like this COULD/SHOULD be in the % and str.format docs as well)</div></div></div></div></blockquote><div><br></div><div>Maybe it would be helpful to think of string concatenation</div><div>more in terms of compiling a template for</div><div>serializable DOM(html,js,brython)/doctree(docutils,sphinx)/jinja nodes</div><div>which have types (Path, CommandOption/Arg, [Tag, Attr])</div><div>and appropriate quoting, escaping, encoding, **and translation** rules</div><div>according to a given output context.</div><div><br></div><div> </div><div> # because this is what could just not be:</div><div> [os.system(f'echo "{cmd}") for cmd in cmds]</div><div> os.system(f'echo2 '{cmd}')</div><div> </div><div>What is the target output format for this string concatenation,</div><div>most of the time?</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><div class="h5"><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 11, 2015 at 12:48 PM, Wes Turner <span dir="ltr"><<a href="mailto:wes.turner@gmail.com" target="_blank">wes.turner@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On Tue, Aug 11, 2015 at 12:08 PM, Nick Coghlan <span dir="ltr"><<a href="mailto:ncoghlan@gmail.com" target="_blank">ncoghlan@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">[off list]<br>
<span><br>
On 12 August 2015 at 01:28, Wes Turner <<a href="mailto:wes.turner@gmail.com" target="_blank">wes.turner@gmail.com</a>> wrote:<br>
><br>
> On Aug 11, 2015 10:19 AM, "Wes Turner" <<a href="mailto:wes.turner@gmail.com" target="_blank">wes.turner@gmail.com</a>> wrote:<br>
>><br>
>><br>
>> On Aug 11, 2015 10:10 AM, "Alexander Walters" <<a href="mailto:tritium-list@sdamon.com" target="_blank">tritium-list@sdamon.com</a>><br>
>> wrote:<br>
>> ><br>
>> > This may seam like a simplistic solution to i18n, but why not just add a<br>
>> > method to string objects (assuming we implement f-strings) that just returns<br>
>> > the original, unprocessed string. If the string was not an f-string, it<br>
>> > just returns self. The gettext module can be modified, I think trivially,<br>
>> > to use the method instead of the string directly.<br>
>> ><br>
>> > Is this a horrible idea?<br>
><br>
> - [ ] review all string interpolation (for "injection")<br>
> * [ ] review every '%'<br>
> * [ ] review every ".format()"<br>
> * [ ] review every f-string (AND LOCALS AND GLOBALS)<br>
> * every os.system, os.exec*, subprocess.Popen<br>
> * every unclosed tag<br>
> * every unescaped control character<br>
><br>
> This would create work we don't need.<br>
><br>
> Solution: __str_shell_ escapes, adds slashes, and quotes. __str__SQL__ refs<br>
> a global list of reserved words.<br>
<br>
</span>Wes, we're not mind readers - I know you're trying to be concise to<br>
save people time when reading, but these bullet-point-only posts are<br>
*harder* to read than if you wrote out a full explanation of what you<br>
meant. With this cryptic form, we have to try to guess the missing<br>
pieces, which is slower and less certain than having them already<br>
written out in the post.<br></blockquote><div><br></div></div></div><div>~"This is another way to make it easier to do the wrong thing; where a better solution (AND/OR DOCS ON ALL STRING INTERPOLATION) would be less likely to increase the ocurrence of CWE TOP 25 #1 and #2"<br></div><div><br></div><div>printf is often dangerous and wrng because things aren't escaped (or scope is not controlled, or things are mutable)</div><div><br></div><div><br></div><div>~"Make it hard to do; or easy to do the right way"</div><span><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Regards,<br>
<div><div>Nick.<br>
<br>
--<br>
Nick Coghlan | <a href="mailto:ncoghlan@gmail.com" target="_blank">ncoghlan@gmail.com</a> | Brisbane, Australia<br>
</div></div></blockquote></span></div><br></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div></div></div><br></div></div>
</blockquote></div><br></div></div>