A4 portrait - PET: Python Entre Todos - Python Argentina
A4 portrait - PET: Python Entre Todos - Python Argentina
A4 portrait - PET: Python Entre Todos - Python Argentina
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
ssink 22<br />
If you have access to the function or method definition, for example if it’s part of your<br />
codebase, the decorator can be applied using <strong>Python</strong>’s syntactic sugar:<br />
@untrusted<br />
def from_the_outside():<br />
...<br />
While using third-party modules, we still can apply the decorator. The next example<br />
is from a program written using the web.py framework:<br />
import web<br />
web.input = untrusted(web.input)<br />
ssink<br />
The ssink decorator must be used to mark those functions or methods that we don’t<br />
want to be reached for tainted values. We call them sensitive sinks.<br />
These sinks are sensitive to a kind of vulnerability, and must be specified when the<br />
decorator is used.<br />
For example, the <strong>Python</strong> eval function is a sensitive sink to Interpreter Injection<br />
attacks. The way we mark it as that is:<br />
eval = ssink(II)(eval)<br />
The web.py framework offers SQL Injection sensitive sink examples:<br />
import web<br />
db = web.database(dbn="sqlite", db=DB_NAME)<br />
db.delete = ssink(SQLI)(db.delete)<br />
db.select = ssink(SQLI)(db.select)<br />
db.insert = ssink(SQLI)(db.insert)<br />
Like the rest of decorators, if the sensitive sink is defined in our code, we can use<br />
syntactic sugar:<br />
@ssink(XSS):<br />
def render_answer(input):<br />
...<br />
The decorator can also be used without specifying a vulnerability. In this case, the<br />
sink is marked as sensitive to every kind of vulnerability, although this is not a very<br />
common use case:<br />
@ssink():<br />
def very_sensitive(input):<br />
...<br />
When an X tainted value reaches an X sensitive sink, we are facing the existence of a<br />
vulnerability and an appropriated mechanism is executed.<br />
cleaner<br />
cleaner is a decorator used to tell that a method or function is able to clean stains on<br />
a value.<br />
For example, the plain_text function removes HTML code from its input and returns<br />
the new clean value:<br />
>>> plain_text("This is bold")<br />
'This is bold'<br />
>>> plain_text("Click here")<br />
'Click here'<br />
<strong>PET</strong>: English Translation (Issue 1, August 2010) — http://revista.python.org.ar