Bad actors are there. We need to be very careful with their input.
TL;DR: Sanitize everything that comes from outside your control.
Problems
- Security
Solutions
- Use sanitization and input filtering techniques.
Context
Whenever you get input from an external resource, a security principle requests you to validate and check for potentially harmful inputs.
SQL Injection is a notable example of a threat.
We can also add assertions and invariants to our inputs.
Even better, we can work with Domain Restricted Objects.
Sample Code
Wrong
user_input = "abc123!@#"
# This content might not be very safe if we expect just alphanumeric characters
Right
import re
def sanitize(string):
# Remove any characters that are not letters or numbers
sanitized_string = re.sub(r'[^a-zA-Z0-9]', '', string)
return sanitized_string
user_input = "abc123!@#"
print(sanitize(user_input)) # Output: "abc123"
Detection
[X] Semi-Automatic
We can statically check all the inputs and also we can also use penetration testing tools.
Tags
- Security
Conclusion
We need to be very cautious with the inputs beyond our control.
Relations
More Info
Disclaimer
Code Smells are just my opinion.
Credits
Photo by Jess Zoerb on Unsplash
Companies should make their own enterprise systems as often as network security companies should manufacture their own aspirin.
Phil Simon
This article is part of the CodeSmell Series.
Top comments (2)
Sanitisation can get quite complex when you're stripping invalid characters, but you need to allow users to enter things that aren't in English. By which I guess I mean, don't roll your own, use an existing library for it.
yes. the example is a simple case just to illustrate the concept, as usual