Taint (like in Perl) as a Python module: taint.py

[Paul Rubin]

"Gabriel Genellina" <gagsl-py at yahoo.com.ar> writes:
> I'm not convinced at all of the usefulness of tainting.
> How do you "untaint" a string? By checking some conditions?

In perl?  I don't think you can untaint a string, but you can make a
new untainted string by extracting a regexp match from the tainted
string's contents.

> Let's say, you validate and untaint a string, regarding it's future
> usage  on a command line, so you assume it's safe to use on os.system
> calls - but  perhaps it still contains a sql injection trap (and being
> untainted you  use it anyway!).

Well, ok, you didn't check it carefully enough, but at least you made
an attempt.  Taint checking is a useful feature in perl.

> Tainting may be useful for a short lived string, one that is used on
> the  *same* process as it was created. And in this case, unit testing
> may be a  good way to validate the string usage along the program.

Unit testing is completely overrated for security testing.  It checks
the paths through the program that you've written tests for.  Taint
checking catches errors in paths that you never realized existed.

> - for sql injection, use parametrized queries, don't build SQL
> statements  by hand.
> - for html output, use any safe template engine, always quoting inputs.
> - for os.system and similar, validate the command line and arguments
> right  before being executed. and so on.

Right, but it's easy to make errors and overlook things, and taint
checking catches a lot of such mistakes.