Safe Strings for Security?

by jesse in ,


I just got done reading this article "A bright future: security and modern type systems" which reminded me of the recent Django discussion around AutoEscaping - specifically "Automatic Escaping is Not a “Newbie Feature”" Now, I've railed for and discussed (much to the dismay of my wife - I'll talk to anyone about this, infant included) "Duck" typing and why I love it - I think the ability to define your own String/File/etc-like "SAFE" objects is easier, and more attractive in python. Do you really want a compiler to enforce social and domain-specific rules for you?

The dynamic nature of the typing within python (remember -> all objects are strongly typed at runtime) makes the on-the-fly definition and creation of new types/objects which conform to a subjective series of rules (in this case: the definition of domain-specific "malicious" strings) an easy and rapid-to-do task.

With no compiler in the way to enforce the checking of the most banal of errors one could argue that although you may have defined a new Type-Like object (a Bear in a Ducksuit) there are no rules within the compiler or interpreter to enforce that that type is used at runtime or in the rest of the application. This means you must rely on social convention or some other built-in-rules system.

Perhaps you're smart about it - and when you're building your application (web or otherwise) you state that Object A accepts a "string-like" object of the SafeString type. When you defined SafeString you added some hook/method for ensuring that yes- in fact, someone was passing you a string-like-SafeString object.

I think that the concept of "$N-Like" is the key to understanding what dynamic typing within a language is.

But I've wandered off the track/point - Malicious strings are a bit of a tip of the iceberg when it comes to application design - as of the last few years it's mainly been the concern of WebApp developers who need to worry about cross-site-scripting and other style attacks where you have a large amount of two-way information.

It makes sense to add "Safe" types into frameworks (Django, RoR, Grails, etc) for web application developers. Heck - it might even make sense to create an "EscapedChar" object in the language (python) itself. But in a language that relies on N-Like semantics it makes much more sense to push that up into the implementation of the framework/webapp itself.

The definition of "malicious" is murky at times - some input that might be blanket escaped could be useful and intended for some applications, so it's important that the implementation is flexible enough to take that into account (a String-like-Safe-like-MyString object anyone?)

Now I'm rambling, dangit. I've got to go back to my String java = new JavaProgrammer(); code.

This (for the django interested) is an interesting read as well.