Sanitizing input

First, I'm sorry if this has been brought up before.. and I haven't done any googling on the subject because it's completely over my head and I'm not sure where to start.

But I'm curious and wanted a bit of quick advice on the topic of sanitizing input for security.

Are there standard ways of doing this? Is there any documentation on it?

Are there libraries which help with this kind of thing?

I ask because an internal rails app at work broke horribly and mysteriously.. all because of a single quote in a text field. Whoops, it was a new feature that was rushed out. (testing, what's that?)

That's bad enough, but if it were a public-facing application it feels as though this kind of thing is a hole which could be abused.

I know there are some basic security settings for Ruby itself which would come in handy for sandboxing off certain parts, but my intuition still says that there's a problem which could be solved.

Is there a problem? If so, how can it be solved?

First, I'm sorry if this has been brought up before.. and I haven't done
any googling on the subject because it's completely over my head and I'm
not sure where to start.

But I'm curious and wanted a bit of quick advice on the topic of
sanitizing input for security.

Sanitizing for what purpose? Typically sanitization is a concern if you are
taking user input and passing it through some interpreter, such as:

- Ruby (e.g. with eval)
- browser (e.g. delivered as part of a page from a web app)
- SQL (e.g. sent as part of a database query)
- shell (e.g. used as an argument to an external command)

That's obviously only a partial list. Importantly, there is a different
definition of what is "dangerous" and should be sanitized for each
interpreter.

Are there standard ways of doing this? Is there any documentation on it?

Are there libraries which help with this kind of thing?

Rails provides decent SQL sanitization and overzealous HTML sanitization.
They are pretty well documented.

I ask because an internal rails app at work broke horribly and
mysteriously.. all because of a single quote in a text field. Whoops,
it was a new feature that was rushed out. (testing, what's that?)

That's bad enough, but if it were a public-facing application it feels
as though this kind of thing is a hole which could be abused.

That's why you need to actually know your libraries.

I know there are some basic security settings for Ruby itself which
would come in handy for sandboxing off certain parts, but my intuition
still says that there's a problem which could be solved.

Is there a problem? If so, how can it be solved?

There is no general, perfect way to solve the problem. There are good ways
for each given interpreter. Rails already has decent builtin methods. Use
them.

--Greg

ยทยทยท

On Fri, Jul 13, 2007 at 02:14:33AM +0900, sy1234 wrote: