Re: [PHP-DEV] Literal / Taint checking

This is only part of a thread. view whole thread
  106626
August 15, 2019 18:05 kontakt@beberlei.de (Benjamin Eberlei)
On Thu, Aug 15, 2019 at 8:03 PM Craig Francis <craig@craigfrancis.co.uk>
wrote:

> Hi, > > How likely would it be for PHP to do Literal tracking of variables? > > This is something that's being discussed JavaScript TC39 at the moment [1], > and I think it would be even more useful in PHP. > > We already know we should use parameterized/prepared SQL, but there is no > way to prove the SQL string hasn't been tainted by external data in large > projects, or even in an ORM. > > This could also work for templating systems (blocking HTML injection) and > commands. > > Internally it would need to introduce a flag on every variable, and a > single function to check if a given variable has only been created by > Literal(s). > > Unlike the taint extension, there should be no way to override this (e.g. > no taint/untaint functions); and if it was part of the core language, it > will continue to work after every update. > > One day certain functions (e.g. mysqli_query) might use this information to > generate a error/warning/notice; but for now, having it available for > checking would be more than enough. > > Craig > > It is an interesting topic indeed! I remember that laruence wrote an
extension for this a while ago, I have never tried it myself though. You can find it here: https://github.com/laruence/taint
> > public function exec($sql, $parameters = []) { > if (!*is_literal*($sql)) { > throw new Exception('SQL must be a literal.'); > } > $statement = $this->pdo->prepare($sql); > $statement->execute($parameters); > return $statement->fetchAll(); > } > > ... > > $sql = 'SELECT * FROM table WHERE id = ?'; > > $result = $db->exec($sql, [$id]); > > > > [1] https://github.com/tc39/proposal-array-is-template-object > https://github.com/mikewest/tc39-proposal-literals >
  106627
August 15, 2019 18:18 craig@craigfrancis.co.uk (Craig Francis)
On Thu, 15 Aug 2019 at 19:05, Benjamin Eberlei <kontakt@beberlei.de> wrote:

> On Thu, Aug 15, 2019 at 8:03 PM Craig Francis <craig@craigfrancis.co.uk> > wrote: > >> Hi, >> >> How likely would it be for PHP to do Literal tracking of variables? >> >> This is something that's being discussed JavaScript TC39 at the moment >> [1], >> and I think it would be even more useful in PHP. >> >> We already know we should use parameterized/prepared SQL, but there is no >> way to prove the SQL string hasn't been tainted by external data in large >> projects, or even in an ORM. >> >> This could also work for templating systems (blocking HTML injection) and >> commands. >> >> Internally it would need to introduce a flag on every variable, and a >> single function to check if a given variable has only been created by >> Literal(s). >> >> Unlike the taint extension, there should be no way to override this (e.g. >> no taint/untaint functions); and if it was part of the core language, it >> will continue to work after every update. >> >> One day certain functions (e.g. mysqli_query) might use this information >> to >> generate a error/warning/notice; but for now, having it available for >> checking would be more than enough. >> >> Craig >> >> > It is an interesting topic indeed! I remember that laruence wrote an > extension for this a while ago, I have never tried it myself though. You > can find it here: https://github.com/laruence/taint > >
Thanks, I've been using that extension for a few years - laruence has done a fantastic job with it. But it can be a bit buggy; and due to it being a taint based system, with the ability to taint/untaint, it introduces some problems. https://github.com/laruence/taint/issues/54