Sanitise user input for a script
I need to write a script that will take some user input (supplied on a website) and then execute a Python script on a host via SSH. I'm curious what the best options are for protecting against malicious input in much the smae way as you sanitise SQL to protect against SQL injections. I could do it either on the website itself or by doing it on the host machine. I'm thinking of using argparse but I'm aware it does not offer any protection itself. If someone has any suggestions I'd appreciated it. If you need more information then please let me know. Simon. signature.asc Description: OpenPGP digital signature -- https://mail.python.org/mailman/listinfo/python-list
Re: Sanitise user input for a script
On 2024-08-30 19:18:29 +, Simon Connah via Python-list wrote:
> I need to write a script that will take some user input (supplied on a
> website) and then execute a Python script on a host via SSH. I'm
> curious what the best options are for protecting against malicious
> input in much the smae way as you sanitise SQL to protect against SQL
> injections.
(Aside: Don't "sanitize" SQL. Use placeholders.)
> I could do it either on the website itself or by doing it on the host
> machine.
You will have to do it in the web site.
The SSH manual states:
| If supplied, the arguments will be appended to the command, separated by
| spaces, before it is sent to the server to be executed.
So whether you call
ssh myhost print_args a b c
or
ssh myhost print_args a "b c"
in both cases exactly the same string will be sent to myhost, and it
won't have any chance to distinguish them.
So you will either have to filter ("sanitize") the arguments or properly
quote them before invoking SSH.
> If someone has any suggestions I'd appreciated it. If you need more
> information then please let me know.
First, if there is any chance that your arguments can contain characters
with meaning to the shell (like an apostrophe in a name), get the
quoting correct. If you can, transmit those arguments in a different way
(e.g. as input, maybe just nul-separated, may as JSON, or whatever).
That removes the SSH-specific problems. There may still be problems with
the python script on the host.
Then, do all the validation you can on the web server. Reject all
requests which aren't valid. But be sure to check against the relevant
specifications, not your prejudices (You may not think that an
apostrophe in an email address is valid, but it is). Include meaningful
error messages (not just "input invalid"). Helping your legitimate users
is more important than slightly inconveniencing an attacker.
hp
--
_ | Peter J. Holzer| Story must make more sense than reality.
|_|_) ||
| | | h...@hjp.at |-- Charles Stross, "Creative writing
__/ | http://www.hjp.at/ | challenge!"
signature.asc
Description: PGP signature
--
https://mail.python.org/mailman/listinfo/python-list
Re: Sanitise user input for a script
On Friday, 30 August 2024 at 21:23, Peter J. Holzer via Python-list
wrote:
>
>
> On 2024-08-30 19:18:29 +, Simon Connah via Python-list wrote:
>
> > I need to write a script that will take some user input (supplied on a
> > website) and then execute a Python script on a host via SSH. I'm
> > curious what the best options are for protecting against malicious
> > input in much the smae way as you sanitise SQL to protect against SQL
> > injections.
>
>
> (Aside: Don't "sanitize" SQL. Use placeholders.)
>
> > I could do it either on the website itself or by doing it on the host
> > machine.
>
>
> You will have to do it in the web site.
>
> The SSH manual states:
>
> | If supplied, the arguments will be appended to the command, separated by
> | spaces, before it is sent to the server to be executed.
>
> So whether you call
> ssh myhost print_args a b c
> or
> ssh myhost print_args a "b c"
> in both cases exactly the same string will be sent to myhost, and it
> won't have any chance to distinguish them.
>
> So you will either have to filter ("sanitize") the arguments or properly
> quote them before invoking SSH.
>
> > If someone has any suggestions I'd appreciated it. If you need more
> > information then please let me know.
>
>
> First, if there is any chance that your arguments can contain characters
> with meaning to the shell (like an apostrophe in a name), get the
> quoting correct. If you can, transmit those arguments in a different way
> (e.g. as input, maybe just nul-separated, may as JSON, or whatever).
>
> That removes the SSH-specific problems. There may still be problems with
> the python script on the host.
>
> Then, do all the validation you can on the web server. Reject all
> requests which aren't valid. But be sure to check against the relevant
> specifications, not your prejudices (You may not think that an
> apostrophe in an email address is valid, but it is). Include meaningful
> error messages (not just "input invalid"). Helping your legitimate users
> is more important than slightly inconveniencing an attacker.
>
Thank you very much. That is very useful.
Simon.
signature.asc
Description: OpenPGP digital signature
--
https://mail.python.org/mailman/listinfo/python-list
Re: Sanitise user input for a script
On 8/30/2024 3:18 PM, Simon Connah via Python-list wrote: I need to write a script that will take some user input (supplied on a website) and then execute a Python script on a host via SSH. I'm curious what the best options are for protecting against malicious input in much the smae way as you sanitise SQL to protect against SQL injections. You should never, never, never "sanitize" SQL. Use prepared statements instead. What kind of user input do you expect to get that would need to be "sanitized"? How are you going to use it such that malicious input might cause trouble? I hope you aren't planning to exec() it. Are you expecting a user to send in a script and your server will execute it? Better read up on sandboxing, then. If you won't be exec()ing a script, then you can consider creating an API where each method of the API can only do limited things, and only with certain parameters not all of all them. The SSH message can include the name of the method to use. And follow what Peter Holzer wrote. Don't forget that quoting practices are not the same between Windows and Linux. I could do it either on the website itself or by doing it on the host machine. I'm thinking of using argparse but I'm aware it does not offer any protection itself. If someone has any suggestions I'd appreciated it. If you need more information then please let me know. Simon. -- https://mail.python.org/mailman/listinfo/python-list
ListAdmin: Is list/archive working correctly?
For example, have been following the thread "Is there a better way? [combining f-string, thousands separator, right align]". Me email (only) client shows a thread of 12 messages. The OP was @Gilmeh Serda (from an invalid email address). That appears in the email thread @Stefan Ram has had two contributions quoted, but no such original-message has appeared in the thread. The archive is only showing seven contributions (for some reason Grant's recent contribution under the different subject line: "Formatting a str as a number" appears separately, even though it threads as the same conversation in email) None of the OP's contributions appear! IIRC the design has been that it doesn't matter if a contribution comes from the Newsgroup or the email Discussion List, they are treated the same. Are Newsgroup contributions being archived (were they ever)? Is it user-error that some contributions don't appear on the list, but do appear in replies, or is there perhaps some other cause? -- Regards, =dn -- https://mail.python.org/mailman/listinfo/python-list
Re: Sanitise user input for a script
On Friday, 30 August 2024 at 23:35, Thomas Passin via Python-list wrote: > > > On 8/30/2024 3:18 PM, Simon Connah via Python-list wrote: > > > I need to write a script that will take some user input (supplied on a > > website) and then execute a Python script on a host via SSH. I'm curious > > what the best options are for protecting against malicious input in much > > the smae way as you sanitise SQL to protect against SQL injections. > > > You should never, never, never "sanitize" SQL. Use prepared statements > instead. Yes. Sorry. I forgot what it was called and accidentally called it sanitising instead but I'm using prepared statements in psycopg 3 for SQL. > > What kind of user input do you expect to get that would need to be > "sanitized"? How are you going to use it such that malicious input might > cause trouble? I hope you aren't planning to exec() it. Are you > expecting a user to send in a script and your server will execute it? > Better read up on sandboxing, then. No. I'm not planning on exec() a random script. I have a prepared Python script which configures various things. The web server connects to the server via SSH and runs my Python script which then runs commands like bhyve (FreeBSD) and it also does things like configure the firewall config file to change firewall rules. The customer has no direct access to the Python script. In terms of arguments the script that deals with bhyve for instance takes arguments such as CPU count and RAM amount. > > If you won't be exec()ing a script, then you can consider creating an > API where each method of the API can only do limited things, and only > with certain parameters not all of all them. The SSH message can include > the name of the method to use. > > And follow what Peter Holzer wrote. Don't forget that quoting practices > are not the same between Windows and Linux. Thank you. I'll look into this. Makes sense. > > > I could do it either on the website itself or by doing it on the host > > machine. > > > > I'm thinking of using argparse but I'm aware it does not offer any > > protection itself. > > > > If someone has any suggestions I'd appreciated it. If you need more > > information then please let me know. > > > > Simon. > > > -- > https://mail.python.org/mailman/listinfo/python-list signature.asc Description: OpenPGP digital signature -- https://mail.python.org/mailman/listinfo/python-list
