[langsec-discuss] Tainting input for better security

Will Sargent will.sargent at gmail.com
Thu Jun 14 22:02:32 UTC 2012


That doesn't really say much about tainting or whitelisting as a best
practice, though.

What would you say to someone about language security and input
validation without mentioning a specific programming language?

Will.

On Thu, Jun 14, 2012 at 2:05 PM, Carter Schonwald
<carter.schonwald at gmail.com> wrote:
> The glib but perhaps accurate answer is not enough people use Haskell ! :-)
>
> The point Being that If your tools don't make writing or reasoning about
> code jointly simple, all bets are off :-)
>
>
> On Wednesday, June 13, 2012, Will Sargent wrote:
>>
>> Hi all,
>>
>> I'm not a security professional, so excuse me if I'm reinventing the wheel
>> here, but here's what I got from the talk.
>>
>> So it seems clear that unless you're validating your input (and can trust
>> your validator), then your input is untrusted.
>>
>> What that means for me practically is that any input I have from the
>> client, in the form of headers, parameters, cookies or form fields, should
>> be automatically tainted by the system unless an appropriate validator is
>> found for it.
>>
>> val taintedEmail: Taint[String] = request.queryString("email")
>>
>> Ideally the validation should result in a strongly typed object, so an
>> EmailValidator would return an type Email, a URLValidator would return a
>> URL, a MixedCaseStringValidator would return a MixedCaseString, etc, so you
>> never pass around the raw tainted input.
>>
>> val result:Either[Failure,Email] = emailValidator.validate taintedEmail
>> result.fold(
>>   failure => {
>>     BadRequest(html.index).flashing 'error -> failure
>>   },
>>   success => {
>>      Ok(html.index)
>>   }
>> )
>>
>> Email and URL validation is complicated (I think
>> https://code.google.com/p/isemail/ is amazing) and I don't think anyone's
>> really made a good HTML validation library yet, but it seems like this would
>> be a useful if not necessary thing.
>>
>> So, two questions:
>>
>> 1) Why don't all web frameworks do this out of the box?
>> 2) Why is validation in such a terrible state?  It seems like people just
>> throw regexps at the problem and hope for the best.
>>
>> Will.
>> _______________________________________________
>> langsec-discuss mailing list
>> langsec-discuss at lists.langsec.org
>> https://lists.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss


More information about the langsec-discuss mailing list