On Tue, Aug 11, 2015 at 1:37 PM, Ryan Gonzalez <rymg19@gmail.com> wrote:
Isn't it already like this? It's no harder than:

Popen('%s a.c' % cc, shell=True)

Heck, I used to do that when I started programming (I hadn't yet learned about injection stuff).

If someone is uneducated about injection, they *will do it anyway*. The introduction of format strings (f-strings sounds like a certain word to me...) wouldn't make it any easier, really.

Well, exactly. So I/we must grep for shell=True, %, .format(, .format_globals(**kwargs),
and f" or f'
and update static analysis tools (to essentially re-AST string.Template with merge(globals, locals, kwargs))
 

On August 11, 2015 1:22:06 PM CDT, Wes Turner <wes.turner@gmail.com> wrote:


On Tue, Aug 11, 2015 at 12:52 PM, Wes Turner <wes.turner@gmail.com> wrote:
... I'm now -1000 on this.

~"Make it hard to do wrong; or easy to do correctly"

... Here are these, (which should also not be used for porting shell scripts to python): http://jinja.pocoo.org/docs/dev/templates/#expressions

So, again, I am 
-1000 on (both of these PEPs)
because they are just another way of making it too easy to do the wrong thing.

* #1 most prevalent security vulnerability:
1CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

   * ORM with parametrization, quoting, escaping and lists of reserved words 
     * SQLAlchemy

* #2 most prevalent security vulnerability:
2CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

   * Command preparation library (which builds a tuple() for exec)
     * Sarge, subprocess.call(shell=False=0) 


- [ ] DOC: (Something like this COULD/SHOULD be in the % and str.format docs as well)
 

On Tue, Aug 11, 2015 at 12:48 PM, Wes Turner <wes.turner@gmail.com> wrote:

On Tue, Aug 11, 2015 at 12:08 PM, Nick Coghlan <ncoghlan@gmail.com> wrote:
[off list]

On 12 August 2015 at 01:28, Wes Turner <wes.turner@gmail.com> wrote:
>
> On Aug 11, 2015 10:19 AM, "Wes Turner" <wes.turner@gmail.com> wrote:
>>
>>
>> On Aug 11, 2015 10:10 AM, "Alexander Walters" <tritium-list@sdamon.com>
>> wrote:
>> >
>> > This may seam like a simplistic solution to i18n, but why not just add a
>> > method to string objects (assuming we implement f-strings) that just returns
>> > the original, unprocessed string.  If the string was not an f-string, it
>> > just returns self.  The gettext module can be modified, I think trivially,
>> > to use the method instead of the string directly.
>> >
>> > Is this a horrible idea?
>
> - [ ] review all string interpolation (for "injection")
>   * [ ] review every '%'
>   * [ ] review every ".format()"
>   * [ ] review every f-string (AND LOCALS AND GLOBALS)
>   * every os.system, os.exec*, subprocess.Popen
>   * every unclosed tag
>   * every unescaped control character
>
> This would create work we don't need.
>
> Solution: __str_shell_ escapes, adds slashes, and quotes. __str__SQL__ refs
> a global list of reserved words.

Wes, we're not mind readers - I know you're trying to be concise to
save people time when reading, but these bullet-point-only posts are
*harder* to read than if you wrote out a full explanation of what you
meant. With this cryptic form, we have to try to guess the missing
pieces, which is slower and less certain than having them already
written out in the post.

~"This is another way to make it easier to do the wrong thing; where a better solution (AND/OR DOCS ON ALL STRING INTERPOLATION) would be less likely to increase the ocurrence of CWE TOP 25 #1 and #2"

printf is often dangerous and wrng because things aren't escaped (or scope is not controlled, or things are mutable)


~"Make it hard to do; or easy to do the right way"
 

Regards,
Nick.

--
Nick Coghlan   |   ncoghlan@gmail.com   |   Brisbane, Australia




Python-ideas mailing list
Python-ideas@python.org
https://mail.python.org/mailman/listinfo/python-ideas
Code of Conduct: http://python.org/psf/codeofconduct/

--
Sent from my Nexus 5 with K-9 Mail. Please excuse my brevity.