interpolation proposals and safety

kdevel kdevel at vogtner.de
Thu Aug 22 19:34:32 UTC 2024


On Saturday, 23 December 2023 at 23:33:31 UTC, Adam D Ruppe wrote:

> 1027 makes it possible to do some cases correctly, but 
> difficult to trust in the general case since it makes no 
> attempt at type safety and its string cannot differentiate 
> between user-injected strings and format string literals.

As I will point out below, the current implementation (DMD 
v2.109.1)
doesn't do either. At least not in the HTML case.

> [...]
>
> On the other hand, 1036e corrects these flaws, while adding the 
> possibility for CTFE manipulation, aggregation, and 
> verification of all string literals passed.
>
> I encourage everyone to look at the sample repository here:
>
> https://github.com/adamdruppe/interpolation-examples/

> [...]

> Finally, example #7, directly avoids the trap of XSS holes by, 
> again, separating HTML structure from added data and ensuring 
> correct encodings and valid data positioning is done in all 
> contexts. [...]

One way to "commit" a mistake is by omitting necessary parts. In 
A CGI context the webserver is reading the stdout of the CGI 
application. The original example (with comments stripped) is:

```
import lib.html;

void main() {
    string name = "<bar>";
    auto element = i"<foo>$(name)</foo>".html;
    assert(element.tagName == "foo");

    import std.stdio;
    writeln(element.toString());

}
```

Now i forget to `import lib.html` and to call `html` on the IES:

```
void main() {
	string name = "<script>alert(-1)</script>";
	auto element = i"<foo>$(name)</foo>";

	import std.stdio;
	writeln(element);
}
```

```
$ dmd htmli.d
$ ./htmli
<foo><script>alert(-1)</script></foo>
```

`name` may have been a URL parameter or may be part of the POST 
body. The important part is that it is attacker supplied and 
controlled.

`writeln` should not print unadorned interpolated string 
expressions.


More information about the Digitalmars-d mailing list