Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115458
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 43031 invoked from network); 17 Jul 2021 16:24:07 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 17 Jul 2021 16:24:07 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id CABCE1804DA
	for <internals@lists.php.net>; Sat, 17 Jul 2021 09:48:39 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_05,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-lj1-f173.google.com (mail-lj1-f173.google.com [209.85.208.173])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 17 Jul 2021 09:48:39 -0700 (PDT)
Received: by mail-lj1-f173.google.com with SMTP id a6so18614641ljq.3
        for <internals@lists.php.net>; Sat, 17 Jul 2021 09:48:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=7twgk+rxUWopAvZKNxtv6nretU0JJVyBOA9Dm022Ms4=;
        b=OV+jw+a/vVT+I2X5hlbboNKbmBe9wUbP6tymOdSCtpeW+aZT3rdZ/uRJ4guRwqs/CS
         YAAHWD4S1v97ag0nxcRe+PTTX0JnbiyquJ5gdYZwF8f9uGvSR0QT9z1yEQIgqNCigi1G
         UqrFpD813kawu1eCO/uo1uNBB+UwChFEyMgok=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=7twgk+rxUWopAvZKNxtv6nretU0JJVyBOA9Dm022Ms4=;
        b=aTM76pmqG849uPAXjRo385pYyWOtR/r+KpfQhO5XyayCMnUq7rBobNkwfTAuIunUs+
         phZ7zBYcvcDfcoHbcFrtvLTzyYGKx/GK4Sbx/4HFZ/PyOnrdVbr0avXWgGdq2cRgdlId
         t0Xke07JDzRXSUHMdQNPDUICduPXI1OGZSzQ3/FarTyf2stmF/7vvpEHzI8M7tAh57kT
         akVc6tPpCf9d0ptz5uuYI6Baf5TK4X6WZworaWvvUO/QPJQEwjXoQkjCXnqhCbZiGOCi
         tJMPJXa4+8bubM1bwzKoXUwx8ipdXno/kC99NY9T4gwmUhenu1M5GxWoDrbreKnob/6+
         KiZA==
X-Gm-Message-State: AOAM5334wPTdl5RWZlsB5u5Bsm/GUwxh05lh4yihxbYLkLQj9RjwrRs3
	EeteRw/MIywAq4iXuK52xXy/xCHHktNT2bFyvSLDtg==
X-Google-Smtp-Source: ABdhPJzxm9rej43MCRXrbyjJioGscDL5ofAQgf3XcR419uzSALpvGh4xDZkabO9/oQsq2J76aOeBuOm6gpndrpEIOZk=
X-Received: by 2002:a2e:9241:: with SMTP id v1mr14068030ljg.48.1626540517726;
 Sat, 17 Jul 2021 09:48:37 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+HRHrvCOTgpbVfCXj06De1kL+1+RwnGgq6tcyLNAtLfQA@mail.gmail.com>
 <CADyq6s+eu4bLM3Z+28Vd0BoGzdbXRyG2Hw9OXqQtyok32p1CJQ@mail.gmail.com>
In-Reply-To: <CADyq6s+eu4bLM3Z+28Vd0BoGzdbXRyG2Hw9OXqQtyok32p1CJQ@mail.gmail.com>
Date: Sat, 17 Jul 2021 17:48:26 +0100
Message-ID: <CAFv4g+H2Eec0SXif3=0nP4wwEaXzggTEPxJjm7fmuwQCR3CFFw@mail.gmail.com>
To: Marco Pivetta <ocramius@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000c5ac3005c75479f9"
Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal
From: craig@craigfrancis.co.uk (Craig Francis)

--000000000000c5ac3005c75479f9
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Sat, 17 Jul 2021 at 4:05 pm, Marco Pivetta <ocramius@gmail.com> wrote:

> my belief is that this is not a runtime problem, but rather a type-level
> issue with tainted/untainted input/output.
>


Thank you for the feedback Marco,

As you appreciate, I don=E2=80=99t believe we can get every PHP developer t=
o use
Static Analysis. It=E2=80=99s an extra step that developers with less time,=
 energy,
or care, will not setup and use.

Putting something in the base language, means that libraries can just use
it, and people using the sites/systems of rushed or lazier developers will
have these checks helping keep their data secure. Data breeches can have
life-changing consequences for people, Injection Vulnerabilities are one of
the biggest causes of them, and since we have the ability for libraries to
warn all developers about these mistake, we should.

At the moment our house can catch on fire and we don=E2=80=99t even have a =
smoke
alarm. This is the smoke alarm. And there are reasons why it=E2=80=99s buil=
ders and
landlords that have to install them, and we don=E2=80=99t rely on the tenan=
ts going
and sorting them out themselves. Because if they don=E2=80=99t, for the bes=
t or the
worse reasons, either way there are severe consequences to everybody.

In regards to Taint Checking, it has a significant problem as it creates a
false sense of security, hence these examples in the RFC:

$sql =3D 'SELECT * FROM users WHERE id =3D ' . $db->real_escape_string($id)=
; //
INSECURE

$html =3D "<img src=3D" . htmlentities($url) . " alt=3D'' />"; // INSECURE

$html =3D "<a href=3D'" . htmlentities($url) . "'>..."; // INSECURE

Fortunately Psalm has just implemented the is_literal() concept, so those
developers who do use Psalm can protect themselves from these issues:

https://github.com/vimeo/psalm/releases/tag/4.8.0



In addition to that, a mechanism to un-taint values is missing,
>


That=E2=80=99s the main flaw with Taint Checking, because it=E2=80=99s not =
possible to mark
something as safe without knowing about the context. As in, developers use
an escaping function (to mark as untainted), think the value is now =E2=80=
=9Csafe=E2=80=9D,
and incorrectly use that value in a way that causes a security
vulnerability.

is_literal() simplifies this problem considerably, by just identifying
developer defined strings, and instead using libraries to handle user
values.

Craig

--000000000000c5ac3005c75479f9--