[Python-ideas] pytaint: taint tracking in python
Terry Reedy
tjreedy at udel.edu
Tue Oct 15 20:10:23 CEST 2013
On 10/15/2013 1:30 PM, Andrew Barnert wrote:
> On Oct 15, 2013, at 10:14, Terry Reedy
> <tjreedy at udel.edu> wrote:
>
>> The same would be true of a taint library. Note that web
>> frameworks, etc, are not in the stdlib. I am not sure that taints
>> should be either.
>
> Well, some of the things that could benefit from taint checking _are_
> in the stdlib--sqlite3.Cursor.execute, eval, etc.
Perhaps a security-oriented sql package could try to force use of
parameterized queries, even though that would be less convenient for
hard-coded queries. Or, the db2 interface standard could be augmented
with a standard interface for tainted strings. (Or such an
interface/protocol might be defined in a pep.)
As for eval (and exec), a package module could easily provide a wrapper.
def eval(code, glob, loc):
if safe(code):
builtin_eval(text(code), glob, loc)
else:
raise TaintError("only eval save strings")
It could even replace the binding in builtins.
Note that in Python 3, exec is also a function, not a statement (and
keyword), so that it too can be wrapped and masked.
> More importantly, it sounds like (at least this particular
> implementation of) tainted string tracking requires language support.
If 'language support' means changing str
> So what you're suggesting really amounts to saying that this project
> should remain a fork of CPython.
which 'fork implies to me, then experience with an implementation for
3.3+, using the new FSR classes, is needed for any real discussion.
> That being said, with no investigation into the difficulties or costs
> of implementing taint tracking in PyPy, Jython, and IronPython, not
> to mention not-quite-implementations like Cython, there might be
> other arguments for that position [of remaining 3rd party].
Good catch. I presume Jython and IronPython simply use Java and C#
strings respectively.
--
Terry Jan Reedy
More information about the Python-ideas
mailing list