[Haskell-beginners] Type checking to prevent data injection attacks?

Kyle Murphy orclev at gmail.com
Fri Dec 21 22:52:34 CET 2012


The approach Perl takes can be traced back to its origin as a
scripting language for systems programming. In that context it makes
sense as a simple safety system to help prevent basic injection
attacks on often hastily and poorly constructed scripts. Further
reason for the "tainted" flag lies in the incredibly poor type system
in Perl (so much so Perl doesn't even distinguish between strings,
integers, or floats). Very little in Haskell is vulnerable to any kind
of injection attack, there is for instance no real equivalent of the
eval function that's the source of the majority of Perls problems. In
general, those few areas that are vulnerable to injection (things like
templating systems, SQL queries, etc.) it's generally better to
perform whatever escaping is necessary at that point, as the proper
way to sanitize a string will largely depend on the context in which
it's being used (I.E. what's a proper sanitization for a SQL query,
would be inappropriate for an HTML form and vice versa). Most sane
libraries in Haskell will default to escaping appropriate values in
their inputs, and give the programmer explicit access to bypass that
sanitization if he has specific reason to want to do so, and it is
then his responsibility to ensure that the inputs are properly
sanitized.

If you really wanted to do something equivalent, it would be a simple
matter of creating a TaintedString type that just wraps an existing
String, and then a series of functions to "untaint" instances of
TaintedString. Ultimately though, I feel it would be an awful lot of
work for very little gain. Anything in your application that's
vulnerable to injection attacks should escape its inputs, no matter
what the source is.

-R. Kyle Murphy
--
Curiosity was framed, Ignorance killed the cat.


On Fri, Dec 21, 2012 at 4:31 PM, Mike Meyer <mwm at mired.org> wrote:
> On Fri, Dec 21, 2012 at 3:15 PM, Erik de Castro Lopo
> <mle+hs at mega-nerd.com> wrote:
>> Mike Meyer wrote:
>>> Is there already a Haskell package that does this? Possibly part of a
>>> web framework?
>> I've been using Esqueleto (an SQL EDSL) and it sanitizes/quotes
>> all values while constructing SQL queries.
>
> From that description, this is actually different from what I'm
> talking about. It's typical for SQL packages even in dynamic
> languages.
>
> What I have in mind is that the query (with placeholders for the
> values) would have to be a string constant (provided by the
> programmer) or flagged as "checked and not tainted" by the programmer,
> otherwise trying to run the query would fail to type check.
>
> If you have a system where you want to let the user select the column
> names in the query, then SQL placeholders/sanitation may not work -
> you need to build the query string "by hand". Being able to use the
> type checking system to insure that no string gets used that hasn't
> been sanitized would be nice.
>
> _______________________________________________
> Beginners mailing list
> Beginners at haskell.org
> http://www.haskell.org/mailman/listinfo/beginners



More information about the Beginners mailing list