On Friday, 30 August 2024 at 21:23, Peter J. Holzer via Python-list <python-list@python.org> wrote:
>
>
> On 2024-08-30 19:18:29 +0000, Simon Connah via Python-list wrote:
>
> > I need to write a script that will take some user input (supplied on a
> > website) and then execute a Python script on a host via SSH. I'm
> > curious what the best options are for protecting against malicious
> > input in much the smae way as you sanitise SQL to protect against SQL
> > injections.
>
>
> (Aside: Don't "sanitize" SQL. Use placeholders.)
>
> > I could do it either on the website itself or by doing it on the host
> > machine.
>
>
> You will have to do it in the web site.
>
> The SSH manual states:
>
> | If supplied, the arguments will be appended to the command, separated by
> | spaces, before it is sent to the server to be executed.
>
> So whether you call
> ssh myhost print_args a b c
> or
> ssh myhost print_args a "b c"
> in both cases exactly the same string will be sent to myhost, and it
> won't have any chance to distinguish them.
>
> So you will either have to filter ("sanitize") the arguments or properly
> quote them before invoking SSH.
>
> > If someone has any suggestions I'd appreciated it. If you need more
> > information then please let me know.
>
>
> First, if there is any chance that your arguments can contain characters
> with meaning to the shell (like an apostrophe in a name), get the
> quoting correct. If you can, transmit those arguments in a different way
> (e.g. as input, maybe just nul-separated, may as JSON, or whatever).
>
> That removes the SSH-specific problems. There may still be problems with
> the python script on the host.
>
> Then, do all the validation you can on the web server. Reject all
> requests which aren't valid. But be sure to check against the relevant
> specifications, not your prejudices (You may not think that an
> apostrophe in an email address is valid, but it is). Include meaningful
> error messages (not just "input invalid"). Helping your legitimate users
> is more important than slightly inconveniencing an attacker.
>
Thank you very much. That is very useful.
Simon.
signature.asc
Description: OpenPGP digital signature
-- https://mail.python.org/mailman/listinfo/python-list
