Simon Willison’s Weblog

This is a rock hard cool idea. Relatively trivial to do in Python, too; just make all read data of type TaintedString with __str__ throwing an exception, and give TaintedString an untaint method. Actually, it'd be better to just bind str to TaintedString...

sil - 11th January 2008 10:46 - #

Interesting. I just fooled around with this for a little while on a project I am working on.

The problem is that Rails is bubbling up all sorts of tainted strings. Strings read from any I/O are technically tainted, although for the purposes of Rails its reasonable to assume that the files that make up the application should be considered "safe". However, Rails isn't untainting them at the source, so methods like "link_to" are tainted because of controller and method declarations and javascript_include_tag is tainted because the names of the scripts have been read from disk.

In the end, it seems that the solution is almost worse than the problem, because SafeErb inadvertently encourages its users to untaint content that may actually be tainted. In fact, the article you link to does exactly that, so sadly nothing is gained.

I think it would be incredibly powerful if the Rails Core programmers used SafeErb or something similar, and they untainted the truly safe stuff, leaving SafeErb to help catch all the problems that the application introduces to the system.

Paul.

Paul Doerwald - 14th January 2008 22:51 - #