I'm working on a web app where users will be able to supply strings that the server will then substitute variables into.
Preferably I'd like to use PEP 3101 format()
syntax and I'm looking at the feasibility of overriding methods in Formatter
to make it secure for untrusted input.
Here are the risks I can see with .format()
as it stands:
'{:>9999999999}'.format(..)
could run the server out of memory and be a DOS. I'd need to disable this.getattr()
that has side effects or returns something secret. I would whitelist attribute/index access by overriding get_field()
.My assumptions are:
What are your thoughts? Possible? Impossible? Merely unwise?
Edit: Armin Ronacher outlines a nasty information leak if you don't filter out dunder variable access, but seems to regard securing format()
as feasible:
{local_foo.__init__.__globals__[secret_global]}
Be Careful with Python's New-Style String Format | Armin Ronacher's Thoughts and Writings
Personally, I didn't actually go the untrusted format()
route in my product, but am updating for the sake of completeness
Uncontrolled format string is a type of software vulnerability discovered around 1989 that can be used in security exploits. Originally thought harmless, format string exploits can be used to crash a program or to execute harmful code.
Python's f-strings are actually safer. String formatting may be dangerous when a format string depends on untrusted data. So, when using str. format() or % -formatting, it's important to use static format strings, or to sanitize untrusted parts before applying the formatter function.
In java, String format() method returns a formatted string using the given locale, specified format string, and arguments. We can concatenate the strings using this method and at the same time, we can format the output concatenated string.
Python uses C-style string formatting to create new, formatted strings. The "%" operator is used to format a set of variables enclosed in a "tuple" (a fixed size list), together with a format string, which contains normal text together with "argument specifiers", special symbols like "%s" and "%d".
Good instinct. Yes, an attacker being able to supply arbitrary format string is a vulnerability under python.
Object
parent class has any useful information. The object supplied to the format would have to contain something sensitive. In any case, this type of notation can limited with a regular expression.Look over the python format string specification and forbid functionality you don't want the user to have with a regex.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With