Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115075
Return-Path: <scott@paragonie.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 66625 invoked from network); 23 Jun 2021 18:03:20 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 23 Jun 2021 18:03:20 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 3049F1804E3
	for <internals@lists.php.net>; Wed, 23 Jun 2021 11:21:54 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <scott@paragonie.com>
Received: from mail-lj1-f169.google.com (mail-lj1-f169.google.com [209.85.208.169])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 23 Jun 2021 11:21:53 -0700 (PDT)
Received: by mail-lj1-f169.google.com with SMTP id a16so4189446ljq.3
        for <internals@lists.php.net>; Wed, 23 Jun 2021 11:21:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paragonie-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=Re/M7TALXDfXrnQ+pKto+QFVAqpHecHH92X7x7g877c=;
        b=PqGEoB3/Oe47osW7zWFa46xbi3r6YPKwPkPfPq3MG5j8E39qLXSVtaFb4bDVIAXhg4
         EJ+Fp0tfK2ON68r7gR/nsin+rFxPnZA9XgG/mVlWhYkWOkAPgBvXuPsfOjCPT9VxcAKr
         EQmb+SiikpSEYI1Ehak4aeCyyVSq7tTUXC3nQHVTpXfxWzbrFaUZdyl6/7WDpACpqOvn
         bHvilTH+ekYaxwUQoVh2YEaG7coOeXwtQcMpAJjVlAF0x8Wdn3znJBGZiVdTvS2JyRbk
         CaUhUTbZfKu5s2C8N8BsLSQvP6vCulpPxPH4189eP0+IiHp1JJknZTWxuQOM2CStR/Of
         QbMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=Re/M7TALXDfXrnQ+pKto+QFVAqpHecHH92X7x7g877c=;
        b=Hiims0US6Ma535OT2kETOLnWzGE2N2ItbXhIFyyMCHlTXVGSFHAepFtKbOixGq+Wae
         USZJJj1YsNq2qvxLlufUBa4pIH2B9XAiRQl/1RxbIINQKG/1XoIinTIGO2Ki9XJeKAI/
         M80XxxPiYRpDlJHRT6NEcf5Gtwus+MW/5TH9KCBu2LKg8vSRVzuh2Sq+LPdhPQE3eP0D
         Dw9rqcDi2deYm59KF8Fa9D6sockH1+4ZeUPbJAGyM6bIj6If741v6TXV/qoJgmTlpaEd
         umd3nlHUhi66UL30C5fob1CwvJBjvqGH+A4VhWPFbdjRDUSGtbxBqKagDwSwI9b/YJHl
         Mh7w==
X-Gm-Message-State: AOAM533unhsC0LIswIlEu1R5mttHAelaraoH/ibeQMQIheWBz1A8RVb4
	/NnizsenQcxybu8j9dei452c7rz0UNfBeCwSQe1cHQ==
X-Google-Smtp-Source: ABdhPJxdSFAk/h7VDWwJWd5VzNKsP2YiU/ofwVrpadv8rQRSIKyPWxMx30d5RTCBGGfN9qEVcVZ7u+QqUuAoVwNdcg8=
X-Received: by 2002:a2e:a373:: with SMTP id i19mr777523ljn.394.1624472509579;
 Wed, 23 Jun 2021 11:21:49 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+Gv1qQ2Gtx2Qwo0Dx2Cb_gOXJ=rm7rVy+Jo89PmD-3jnA@mail.gmail.com>
 <CAEMvS4GRaqMBPn7ocBX-XU3jzrtpe+9uGfYpG10qc_iKZY80UA@mail.gmail.com>
 <03f7955c-69a8-4841-9245-449d7851e207@www.fastmail.com> <CAFv4g+EaT309KDWz63j3S7n8E58czEWTKUEw9hAvgt7s6R9eKQ@mail.gmail.com>
In-Reply-To: <CAFv4g+EaT309KDWz63j3S7n8E58czEWTKUEw9hAvgt7s6R9eKQ@mail.gmail.com>
Date: Wed, 23 Jun 2021 14:21:39 -0400
Message-ID: <CAKws9z02yCZTb2_mw-5xUO5-QLc4jbOUcBRfJ8nFSNPP1rgO3g@mail.gmail.com>
To: Craig Francis <craig@craigfrancis.co.uk>
Cc: Larry Garfield <larry@garfieldtech.com>, php internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted
From: scott@paragonie.com (Scott Arciszewski)

On Wed, Jun 23, 2021 at 10:54 AM Craig Francis <craig@craigfrancis.co.uk> w=
rote:
>
> On Wed, 23 Jun 2021 at 14:37, Larry Garfield <larry@garfieldtech.com> wro=
te:
>
> > I'm still very torn on is_literal; I fear that the people who would
> > benefit from it are the very people that don't use the tools that would
> > leverage it (DBALs et al), and so the net benefit will be small.
> >
>
>
> This RFC will not help those who aren=E2=80=99t using libraries (DBALs), =
that=E2=80=99s
> something we could look at in the future (I have a suggestion in the Futu=
re
> Scope section, but whatever that involves, it will need to use this flag,
> so it would need to be in place first).
>
> But - and why I=E2=80=99m here - my experience is that it=E2=80=99s still=
 a big issue for
> those who *do* use libraries. It frequently comes up at software
> agencies/companies that maintain their code (built with free
> libraries/frameworks), and employ junior developers (i.e. the cheapest),
> who make many "quick edits" (time is money), and in doing so introduce th=
e
> issues the RFC covers (and not to say we more experienced coders don=E2=
=80=99t
> occasionally make mistakes too!). While non-library users are the main
> cause, the library users are still a big part of why Injection
> Vulnerabilities remain at the top of the OWASP Top 10.
>
> Craig

Hi,

I was asked for my thoughts on this RFC (and its naming) from a
security engineering perspective.

The old is_literal() isn't correct if it includes non-string values
(i.e. integers).
The new is_trusted() is potentially misleading, especially to people
who don't read the docs.

My knee-jerk reaction was simply, "Why not is_untainted()?" but that
invokes the imagery of taint-checking, which the RFC explicitly
doesn't implement. A better name might be is_noble(), where we get to
define the concept of noble inputs (name inspired by the Noble gases
from Chemistry).

The main reason I don't like is_trusted() is that everyone's threat
model and risk tolerance is different, and trust is too nebulous a
concept for a built-in function. But also, it's really easy to jump
the guard-rail: https://3v4l.org/4GM8Q#focus=3Drfc.literals

One concern that Joe Watkins asked about is: Is it reasonable to cover
both integers and strings that are not influenceable by potential
external attackers (n.b. ones that can't already overwrite your source
code)? Outside the chr()/pack()/sprintf()/etc. technique demonstrated
above, there's no risk of injection inherent to concatenating a
trusted string with an untrusted integer.

Injection attacks (SQL injection, LDAP injection, XSS, etc.) are, at
their core, an instance of type confusion between data and code. In
order for the injection to *do* anything, it needs to be in the same
input domain as the language the code is written in. Try as you might,
there is no integer that will, upon concatenation with a string,
produce a control character for HTML (i.e. `>`) or SQL (i.e. `'`).

Therefore, if the concern is Injection attacks, integer inputs do not
need to be tracked to provide a security gain.

This is only true for integers, not all numeric types. I haven't
investigated the safety of floats in every possible context, and the
`e`, `+`, and `.` characters could be problematic in corner cases.

TL;DR
- Why not is_noble()?
- String + int concatenation isn't an injection risk.

Cheers,
Scott