Rocksolid Light

News from da outaworlds

mail  files  register  groups  login

Message-ID:  

You will have long and healthy life.

comp / comp.lang.python / Re: Sanitise user input for a script

SubjectAuthor
o Re: Sanitise user input for a scriptThomas Passin

1
Subject: Re: Sanitise user input for a script
From: Thomas Passin
Newsgroups: comp.lang.python
Date: Fri, 30 Aug 2024 22:35 UTC
References: 1 2
Path: eternal-september.org!news.eternal-september.org!feeder3.eternal-september.org!fu-berlin.de!uni-berlin.de!not-for-mail
From: list1@tompassin.net (Thomas Passin)
Newsgroups: comp.lang.python
Subject: Re: Sanitise user input for a script
Date: Fri, 30 Aug 2024 18:35:59 -0400
Lines: 31
Message-ID: <mailman.19.1725057954.2917.python-list@python.org>
References: <Y_Bag-4OjGfIUUu5xJIzjMhKnizgNZcYAf05yMBQT7n_j-eeooAwDo2e1yVK1FWLbhUeQLmRZ82ywJcyqs13yuDBuejH_fHBxwNHDBRm_1A=@protonmail.com>
<69cb2985-3284-426d-a8b0-af256a3ac2ff@tompassin.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: news.uni-berlin.de uAJqEKvYiATlJKxnl67zjwGY/eZTfAQKJo7BbG1QSBIw==
Cancel-Lock: sha1:SSiZjMNzhYrWE5CZuhttHC3u9Og= sha256:UHD+y96CTbKzmur1AgjcSZVG0cQnvoAtbDQWO1//zi4=
Return-Path: <list1@tompassin.net>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
Authentication-Results: mail.python.org; dkim=pass
reason="2048-bit key; unprotected key"
header.d=tompassin.net header.i=@tompassin.net header.b=j7jw+YTL;
dkim-adsp=pass; dkim-atps=neutral
X-Spam-Status: OK 0.018
X-Spam-Evidence: '*H*': 0.96; '*S*': 0.00; 'received:23.83.212': 0.09;
'received:elm.relay.mailchannels.net': 0.09; 'subject:script':
0.09; 'then.': 0.09; 'holzer': 0.16; 'instead.': 0.16; 'machine.':
0.16; 'protecting': 0.16; 'received:10.0.0': 0.16;
'received:64.90': 0.16; 'received:64.90.62': 0.16;
'received:64.90.62.162': 0.16; 'received:dreamhost.com': 0.16;
'script,': 0.16; 'simon': 0.16; 'things,': 0.16; 'wrote:': 0.16;
'python': 0.16; 'api': 0.17; "aren't": 0.19; 'it?': 0.19; 'pm,':
0.19; 'to:addr:python-list': 0.20; 'input': 0.21; "i'd": 0.24;
'practices': 0.26; 'creating': 0.27; 'expect': 0.28; 'thinking':
0.28; 'suggestions': 0.28; 'header:User-Agent:1': 0.30; 'python-
list': 0.32; 'received:10.0': 0.32; 'received:mailchannels.net':
0.32; 'received:relay.mailchannels.net': 0.32; 'but': 0.32; "i'm":
0.33; 'subject:for': 0.33; 'script': 0.33; 'server': 0.33;
'windows': 0.34; 'someone': 0.34; 'same': 0.34; 'header:In-Reply-
To:1': 0.34; 'using': 0.37; 'way': 0.38; 'could': 0.38; 'read':
0.38; 'use': 0.39; 'should': 0.40; 'best': 0.61; 'method': 0.61;
'limited': 0.62; 'follow': 0.62; 'send': 0.63; 'between': 0.63;
'your': 0.64; 'let': 0.66; 'forget': 0.67; 'header:Received:6':
0.67; 'received:64': 0.67; 'know.': 0.68; 'malicious': 0.69;
'protection': 0.70; 'offer': 0.71; 'itself.': 0.84
X-Sender-Id: dreamhost|x-authsender|tpassin@tompassin.net
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1725057360; a=rsa-sha256;
cv=none;
b=4PWVGHyrmniGTRE8WFDkHnB3nRkhq5y3ZlXljQpvcqKkMWlreqF0Sq8ko4k9QoNZL0YmoT
yRRXK1nRhM0fRqD9QdUAs6e5c3ZFVzkhuvaDv4Q/He7rU3xK7+qGP/yRIebRQevReUe0HI
jo9TB/ohesCe5zs7mLOjWpjU5dB3b70LGklXzgFPJO8Ylz54Et0VCSoP+OyPMBv3KfE7n4
VLxArIxgeubcaKDpsimlv82A8FykAcqeiFKvV70KM5COX10AHsA6PGcDP/Vwbr9tJm2pzW
w7gp0JAb1YxaMapnP4dlXHYV2V7AO+sfj4CIAwij0OwibFzE4HjS1Gaksr4Q2g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=mailchannels.net; s=arc-2022; t=1725057360;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references:dkim-signature;
bh=7szXevUS86swd94kPBbiL2sqHdWG2jbylXnSjLcGNlE=;
b=KQd14v2zFiqgVd7+0nRstnByf+CRKdpqPuHYqHvqRwCTT1Ey+ozHcbqBgXC0C0AiQT2lXL
hjf/JCvilMQQiRoP3DDHlZsdOtrTCkbd4ZEfR8vmrumoMF0UXf3Yu7cvRqwJXHel0lJNxu
bvB8R9o2D13QDZcclQ3R2+GOnQFy1s05B2GJjQwUJ+fC+gp4PqPrNTa/2M8sPJmRiqROBP
0mSYY9cnlEGzsCnWbjmQiiCeSHFtbPflPAoA2/eGl/ktx2orMc7oW9QY6pDxq1wT+MZiV6
H3qlN5OtGz5RsfWhHXEX6IwlE9RE8NkhgBXt6V2jlJlYRNdgiQhBAX9vnIeMIg==
ARC-Authentication-Results: i=1; rspamd-6b9c67f469-ts4df;
auth=pass smtp.auth=dreamhost smtp.mailfrom=list1@tompassin.net
X-Sender-Id: dreamhost|x-authsender|tpassin@tompassin.net
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|tpassin@tompassin.net
X-MailChannels-Auth-Id: dreamhost
X-Battle-Industry: 39a331566574bf5d_1725057360881_1525512543
X-MC-Loop-Signature: 1725057360881:2145966563
X-MC-Ingress-Time: 1725057360880
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tompassin.net;
s=dreamhost; t=1725057360;
bh=7szXevUS86swd94kPBbiL2sqHdWG2jbylXnSjLcGNlE=;
h=Date:Subject:To:From:Content-Type:Content-Transfer-Encoding;
b=j7jw+YTLYTGEo3BVi8NHeJPwnb1Ca6KgUgclGbYkq0uXi6kP4vMGc+gis4j341Ptk
oc2kXYxWwjpXj5bDXyyAxsAFDKyRvTLa9y0wkpW2a/P1YOseOkO10htl2GMFB21aAW
jl0DrXmpCQqX60z+QTB9atdmyyUPHibfvGlC5bpEo1qxq+XNSog8XzGntsvx88QMzM
6d1nsQhMas36opY+QzpYVe/UffrOUbvLbLswR5Jcmoob4Yq1E76y3xVJnSekvYTi/S
FEU4tZBy2rIdLmOTsOtC5pBsgm6+VLPss86e1MzqNR+Ej6cXVEOSU3WFjdvXgG8GkR
k58HkqR0Fu/Gw==
User-Agent: Mozilla Thunderbird
Content-Language: en-US
In-Reply-To: <Y_Bag-4OjGfIUUu5xJIzjMhKnizgNZcYAf05yMBQT7n_j-eeooAwDo2e1yVK1FWLbhUeQLmRZ82ywJcyqs13yuDBuejH_fHBxwNHDBRm_1A=@protonmail.com>
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: General discussion list for the Python programming language
<python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>,
<mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <https://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>,
<mailto:python-list-request@python.org?subject=subscribe>
X-Mailman-Original-Message-ID: <69cb2985-3284-426d-a8b0-af256a3ac2ff@tompassin.net>
X-Mailman-Original-References: <Y_Bag-4OjGfIUUu5xJIzjMhKnizgNZcYAf05yMBQT7n_j-eeooAwDo2e1yVK1FWLbhUeQLmRZ82ywJcyqs13yuDBuejH_fHBxwNHDBRm_1A=@protonmail.com>
View all headers

On 8/30/2024 3:18 PM, Simon Connah via Python-list wrote:
> I need to write a script that will take some user input (supplied on a website) and then execute a Python script on a host via SSH. I'm curious what the best options are for protecting against malicious input in much the smae way as you sanitise SQL to protect against SQL injections.

You should never, never, never "sanitize" SQL. Use prepared statements
instead.

What kind of user input do you expect to get that would need to be
"sanitized"? How are you going to use it such that malicious input might
cause trouble? I hope you aren't planning to exec() it. Are you
expecting a user to send in a script and your server will execute it?
Better read up on sandboxing, then.

If you won't be exec()ing a script, then you can consider creating an
API where each method of the API can only do limited things, and only
with certain parameters not all of all them. The SSH message can include
the name of the method to use.

And follow what Peter Holzer wrote. Don't forget that quoting practices
are not the same between Windows and Linux.

> I could do it either on the website itself or by doing it on the host machine.
>
> I'm thinking of using argparse but I'm aware it does not offer any protection itself.
>
> If someone has any suggestions I'd appreciated it. If you need more information then please let me know.
>
> Simon.
>
>

1

rocksolid light 0.9.8
clearnet tor