Visible to the public Statically typed string sanitation inside a pythonConflict Detection Enabled

TitleStatically typed string sanitation inside a python
Publication TypeConference Proceedings
Year of Publication2014
AuthorsNathan Fulton, Cyrus Omar, Jonathan Aldrich
Conference NamePSP '14 Proceedings of the 2014 International Workshop on Privacy & Security in Programming
Date Published10/2014
PublisherACM New York, NY, USA ©2014
Conference LocationPortland, OR
ISBN Number978-1-4503-2296-6
KeywordsCMU, extensible languages, input sanitation, Jan'15, regular expressions, string sanitation, type systems, web security

Web applications must ultimately command systems like web browsers and database engines using strings. Strings derived from improperly sanitized user input can as a result be a vector for command injection attacks. In this paper, we introduce regular string types, which classify strings constrained statically to be in a regular language specified by a regular expression. Regular strings support standard string operations like concatenation and substitution, as well as safe coercions, so they can be used to implement, in an essentially conventional manner, the pieces of a web application or framework that handle strings arising from user input. Simple type annotations at function interfaces can be used to statically verify that sanitization has been performed correctly without introducing redundant run-time checks. We specify this type system first as a minimal typed lambda calculus, lambdaRS. To be practical, adopting a specialized type system like this should not require the adoption of a new programming language. Instead, we advocate for extensible type systems: new type system fragments like this should be implemented as libraries atop a mechanism that guarantees that they can be safely composed. We support this with two contributions. First, we specify a translation from lambdaRS to a calculus with only standard strings and regular expressions. Then, taking Python as a language with these constructs, we implement the type system together with the translation as a library using typy, an extensible static type system for Python.

Citation Keynode-30290

Other available formats: