Rowan Tommins rowan.collins@gmail.com wrote:

I still don't follow this reasoning, for the reasons I outlined here:
...
Whether "$foo . $bar" is always non-literal, or non-literal only if one
of its operands is, you're going to get an error about a non-literal
string somewhere else in the program, and have to trace back to find
where the "bad" concatenation happened.

There are two differences. The first is "even if there is a problem,
you at least can find the relevant code".

With string concatenation preserving literal flags, when a problem is
detected, the situation is: "There is a non-literal somewhere in this
chunk of HTML. Good luck finding it in the string, and then figuring
out where it comes from in the code."

With having to jump through the hoop of using a specific function to
preserve the literal flag, the situation is: "This line of code is
wrong. It needs to be changed to use escaping."

To be precise, you wouldn't have to trace back to find where the
non-literal value comes from. At the point where the error is you
would probably just change it to use the appropriate escaping. e.g. if
this line of fails, because the color suddenly becomes a non-literal:

literal_concat("<div style='color: ", $up->getColor(), "'>");

you don't need to figure out where the color is coming from, you can
just change it to use a function that does the appropriate escaping:

html("<div style='color: %s'>", $up->getColor());

In general, any use of literal_concat() where the correctness of it
isn't obvious from reading the code, should probably start a
conversation of "have you considered defaulting to using
escaping/prepared query here"?

It prevents the problem reaching an end-user.

The solution at Google prevents any security problem from reaching the
end-user by refusing to compile code.

One of the problems with PHP is that it is 'normal' for logs to be
filled with warnings...which means that most people just ignore them.

By allowing security problems to get through, rather than defaulting
to being an error means that they will reach end-users, and the
warning messages will end up in log files, and the process for finding
and fixing them will take more time than people will like.

So instead of defaulting to safe, it will default to being ignorable.
And the whole point (in my understanding) of Chris Kern's talk, is
that you need to make software safe by default.

What it won't do, is tell you when you've forgotten to use it,

Which is a huge difference.

If you're aware that you're touching a security sensitive bit of code,
you're likely to do the right thing anyway, and so won't need the
crutch of is_literal.

If you're unaware that you're touching a security sensitive bit of
code, you're more likely to accidentally include user input where it
isn't meant to be used.

That means the feature would be annoying for the people who need it most.

Allowing errors to get through to users, for them to be allegedly
fixed at a later date is referred to as "Normalization of deviance"
and isn't a good choice for this RFC, imo.

cheers
Dan
Ack

• problems with static analysis as a solution

** Not everyone runs it, and it would be nicer to allow wordpress et
al to provide this security threat detection rather than hoping users
decided to use static analysis.

** It might require libraries also using the same static analysis annotations.

** It might get quite tricky to implement correctly, in particular for
functions where the literal-ness of the output depends on the
literal-ness of the input.

which will result in too many invalid errors, requiring them to make
substantial/unnecessary changes

My understanding is that the majority of PHP developers use one of the
many frameworks available. All of those provide libraries that people
use rather than accessing the DB directly.

At the other end of the scale, you have companies with large-ish
engineering teams (e.g. 30+) where access to the DB is done through an
in-house library.

The only people who don't already go through an access layer of code
to reach the DB are people who don't depend on frameworks, and
maintain their own applications with a small (or singular) engineering
team.

This type of person may be over-represented in internals, but are
probably relatively few in number compared to the majority of PHP
users.

requiring them to make substantial/unnecessary changes

My very strong suspicion is that if/when people start using this, the
majority of changes that would be required would be actual security
problems that ought to be fixed.

(i.e. replacing every string concat with
literal_concat(), or using a special Query Builder for their
SQL/HTML/CLI/etc).

Most people should be using a library for building HTML and CLI
escaping, because remembering how to do the escaping properly is
really difficult. I certainly never remember the difference between
the correct escaping for CSS and JS.

But the changes required for supporting DB queries just don't seem
that big to me. I've put a code example of an implementation below.

I'm pretty sure that the changes needed to fix the actual security
problems that exist in their code would be bigger, and also that
tracking down a single leaked non-literal would take longer than
migrating code to use the new feature.

As I said in my reply to Rowan, making it easy to track down issues
where they occur, minimises the cost of using this feature over the
years it would be used.

cheers
Dan
Ack

Before

$query = "select * from preferences user_id = " . $_GET['user_id'];

db_exec($query);

After

$query[] = "select * from preferences user_id = ";
$query[] = $_GET['user_id'];

db_exec($query);

And the function db_exec would be changed to something like:

function db_exec(string|array $query_parts)
{
if (is_string($query_parts) && !is_literal($query_parts)) {
throw new \Exception("Cannot use non literal string as query.
Please pass the parts in as an array");
} else {
foreach ($query_parts as $query_part) {
if (is_string($query_part) && !is_literal($query_part) {
throw new \Exception("non-literal string found [$query_part]");
}
else if (is_int($query_part)) {
// todo - decide if you want to allow this or not.
// I personally wouldn't.
}
else {
// todo - support other types
}
}

    $query = implode("", $query_parts);
}

// rest of db_exec here...

}

Hi Nikita,

I performed a few other benchmarks in order to provide a little bit more
insights into the performance aspect of the RFC. My latest measurement is
using the same setup as the previous
one, although I made a few smaller changes in the process (e.g. changing
the order of the tests). So at the end, I got the following results:

• Laravel demo app: +0.1%
• Symfony demo app: +0.43%
• bench.php: +0.4%
• custom concat bench: +3.89%

The results are comparing the "literals" branch with the commit in master
on which Joe's work is based. As far as I remember, the simpler variant of
is_literals had a 0.1% slowdown
in case of Symfony, and 2.09% in case of the custom concat benchmark.
Personally, I think even the current numbers are acceptable, especially
because PHP 8.1 is going to be
roughly 30% faster than PHP 8.0 according to my benchmark in case of the
Symfony demo app. Laravel's result is very similar, but I don't remember
about the exact numbers.

Thanks Máté! While I'm not really happy with the technical implications,
your numbers clearly show that there is barely any impact in practice. I've
dropped my "no" vote for that reason.

Regards,
Nikita

is there a compelling reason why the internal names couldn't be marked
literal
(even if it's technically "wrong")?

Hi Lauri,

Just again quickly noting we’re only talking about ~0.43% difference,
nothing major in any way.

But we wanted to ensure developers didn't wonder why something was seen as
a literal in one case, but not in another (we wanted to ensure
consistency), because most people don’t know much about how the internals
of PHP work - especially optimisations which are supposed to be kind of
‘invisible’ to developers. This change also helped when a couple of other
compiler optimisations happen:

https://wiki.php.net/rfc/is_literal#compiler_optimisations

Craig

short of a bug in esc_like(), i don't even see the vulnerability issue in
that code?
that sanitize call looks like a data corruption issue and i bet it fails to
search for binary data, but i don't see the critical vulnerability?

Related to the general topic of injection attacks, I was considering
submitting a PR to change the default of PDO::ATTR_EMULUATE_PREPARES to
FALSE, since this mistakenly can lead people to believe that using prepared
statements with PDO and MySQL protects against injection attacks. In fact,
this is only the case if they create the PDO object with the option
specified as false. I'm not aware however to reasoning for enabling prepare
emulation by default for MySQL. I would assume it's a performance choice,
but how long ago was this choice made and is it worth revisiting? Would
this be something that requires its own RFC? It's a single line change.

Jordan

On Sat, Jul 17, 2021 at 9:48 AM Craig Francis craig@craigfrancis.co.uk
wrote:

my belief is that this is not a runtime problem, but rather a type-level
issue with tainted/untainted input/output.

Thank you for the feedback Marco,

As you appreciate, I don’t believe we can get every PHP developer to use
Static Analysis. It’s an extra step that developers with less time, energy,
or care, will not setup and use.

Putting something in the base language, means that libraries can just use
it, and people using the sites/systems of rushed or lazier developers will
have these checks helping keep their data secure. Data breeches can have
life-changing consequences for people, Injection Vulnerabilities are one of
the biggest causes of them, and since we have the ability for libraries to
warn all developers about these mistake, we should.

At the moment our house can catch on fire and we don’t even have a smoke
alarm. This is the smoke alarm. And there are reasons why it’s builders and
landlords that have to install them, and we don’t rely on the tenants going
and sorting them out themselves. Because if they don’t, for the best or the
worse reasons, either way there are severe consequences to everybody.

In regards to Taint Checking, it has a significant problem as it creates a
false sense of security, hence these examples in the RFC:

$sql = 'SELECT * FROM users WHERE id = ' . $db->real_escape_string($id); //
INSECURE

$html = "<img src=" . htmlentities($url) . " alt='' />"; // INSECURE

$html = "<a href='" . htmlentities($url) . "'>..."; // INSECURE

Fortunately Psalm has just implemented the is_literal() concept, so those
developers who do use Psalm can protect themselves from these issues:

https://github.com/vimeo/psalm/releases/tag/4.8.0

In addition to that, a mechanism to un-taint values is missing,

That’s the main flaw with Taint Checking, because it’s not possible to mark
something as safe without knowing about the context. As in, developers use
an escaping function (to mark as untainted), think the value is now “safe”,
and incorrectly use that value in a way that causes a security
vulnerability.

is_literal() simplifies this problem considerably, by just identifying
developer defined strings, and instead using libraries to handle user
values.

Craig

As an aside, only 4 of 23 'no' voters provided any comment as to why they
voted that way on the mailing list, which I feel undermines the point of
the Request For Comment process, with an additional 5 responding personally
off-list after prompting. This makes it harder (or impossible) for points
to be discussed and addressed.

1. My earlier comments about static analysis, and on behavior depending on whether opcache is enabled

Thanks Tyson,

Just to check I've not missed anything, are you referring to your comments from March 2020?
https://news-web.php.net/php.internals/109192 https://news-web.php.net/php.internals/109192

I mentioned your email in the RFC, as I agree that developers should use Static Analysis, but I think it's highly unlikely we will be able to get most PHP developers to use it:
https://wiki.php.net/rfc/is_literal#static_analysis https://wiki.php.net/rfc/is_literal#static_analysis

As to the OPcache, Joe's implementation already works with its optimisations, so the results are consistent.
https://wiki.php.net/rfc/is_literal#compiler_optimisations https://wiki.php.net/rfc/is_literal#compiler_optimisations

2. This might prevent certain optimizations in the future. For example, currently, 1-byte strings are all interned to save memory.
   If is_literal was part of php prior to proposing that optimization, then that optimization may be rejected.

Like the OPcache optimisations, the 1-byte strings and other existing optimisations work with Joe's implementation. I cannot comment or predict any future optimisation work, but this argument could be made for any change to PHP.

3. PHP's string type is used both for (hopefully) valid unicode strings and for low level operations on literal byte arrays (e.g. cryptogrophy).
   It seems really, really strange for a type system to track trustedness for a low level primitive to track byte arrays. (the php 6 unicode string refactoring failed)

   Further, if this were to be extended in the future beyond the original proposal (e.g. literal strings that are entirely digits are automatically interned or marked as trusted),
   this might open previously safe code acting on byte arrays to side channel issues such as timing attacks (https://en.wikipedia.org/wiki/Timing_attack)

We're just adding a flag to say if the string was written by the developer, which is key for identifying Injection Vulnerabilities (it's similar to the Interned flag).

With cryptography and timing attacks, the only part affected would be during string concatenation, which has already got several optimisations that introduce variability in timings (e.g. concatenating variables containing 'a' with 'b' is about twice as slow than 'a' with '').

We did have a discussion about integer support, but the way integers/floats/booleans are currently stored in memory would require a big change to note if those values were defined in the developers PHP source code. We also explored the idea of allowing all integers, and while they cannot lead to an Injection Vulnerability, the consensus was that a developer defined string is easier to understand:
https://wiki.php.net/rfc/is_literal#integer_values https://wiki.php.net/rfc/is_literal#integer_values

4. Internal functions and userland polyfills for those functions may unintentionally differ significantly for the resulting taintedness,
   e.g. base64_decode in userland being built up byte by byte would end up being possibly untainted?

All of these functions would return a non-literal string, as the values were not written by the developer (as in, directly defined in their source code).

5. The fact that 1-byte strings are almost always interned seems like a noticeable inconsistency (though library authors can deal with it once they're aware of it), though for it to become an issue a library may need to take multiple strings as input
   (e.g. a contrived example"echo -- " . $trustedPrefix . shell_escape($notTrusted) for $trustedPrefix of "'" (or "\n") and $notTrusted of "; evaluate command"

1-byte strings have already been addressed in the implementation.

Libraries need to take user values separately from developer defined strings, because developers frequently make mistakes:
https://github.com/craigfrancis/php-is-literal-rfc/blob/main/justification/mistakes.php?ts=4 https://github.com/craigfrancis/php-is-literal-rfc/blob/main/justification/mistakes.php?ts=4

Especially when it comes to escaping values:
https://github.com/craigfrancis/php-is-literal-rfc/blob/main/justification/escaping.php?ts=4 https://github.com/craigfrancis/php-is-literal-rfc/blob/main/justification/escaping.php?ts=4

In your command example, the library could copy how Parameterised Queries work in SQL.
https://github.com/craigfrancis/php-is-literal-rfc/blob/main/examples/cli-basic.php https://github.com/craigfrancis/php-is-literal-rfc/blob/main/examples/cli-basic.php

6. Including it in core would make it harder to remove later if it interfered with opcache or jit work, or to migrate code to alternative interpreters for php if those were ever implemented (if frameworks were to extensively depend on is_literal)

This is why Joe was very careful with the implementation. Overall the approach is simple, where it's just providing libraries with the key bit of information to identify their primary source of Injection Vulnerabilities (when a developer has incorrectly included user data).

7. Tracking whether a string is untrusted is a definition only suitable for a few (extremely common) formats for php. But for less common features, even stringified integers may be a problem (e.g. binary file formats, etc)

   This is relatively minor given that php is typically used in a web programming context with json or html or js/css output

   I'd think is_interned()/intern_string() is much closer to tracking something that corresponds with php's internals (e.g. and may allow saving memory in long-running processes which receive duplicate strings as input), though the 10 people who wanted fully featured trustedness checking would probably want is_literal instead

The implementation is pretty close to matching the Interned flag, but isn't exactly the same, as the Interned flag can be unpredictable for normal PHP developers (e.g. the chr() function), and it could be changed in the future (e.g. Joe noted how there was a suggestion to intern keys while JSON decoding or unserializing).

8. Serializing and unserializing data would lose information about trustedness of inputs, unpredictably (e.g. unserialize() in php 8.0 interns array keys).

   There's no (efficient) way to change trusted strings to untrusted or vice versa, though there are inefficient workarounds (modifying a byte and restoring it to stop trusting it, imploding single characters to create a trusted string)

   This may done implicitly in frameworks using APCu/memcached/redis as a cache

   (I definitely don't think the serialization data format should track is_literal())

Agreed, serializing and unserializing (or any other modifications) does not set the literal flag.

As to providing an easy way to mark a non-literal string to a literal - in short, we do not want to recreate the biggest flaw of Taint Checking, where naive developers would see this as a way to mark escaped strings as "safe", giving them a false sense of security that these strings can now be trusted.

9. Future refactorings, optimizations or deoptimizations (or security fixes) to unserialize(), etc. may unexpectedly break code using is_literal that throw instead of warn (more bug reports, discourage users from upgrading, etc.)

The implementation already includes several tests, and output from functions like unserialize() do not set the literal flag.

10. This RFC adds an unknown amount of future work for php-src and PECLs to intuitively support mapping trusted inputs to trusted outputs or vice versa - less commonly used or unmaintained functions may not behave as expected for a while

This shouldn't be an issue, as the flag is only being used to identify literal strings. If new strings are being created or modified, they are no longer considered literal strings (the flag is off by default).

11. https://pecl.php.net/package/taint is available already for a use case with some overlap for setups that need this

Libraries need something that's available to everyone (we all make mistakes; and the developers most likely to introduce these vulnerabilities are unlikely to install an extension, or use Static Analysis).

And with the Taint extension in particular, it has really helped me experiment with this concept, but that approach does give a false sense of security, which is why this RFC did not re-create it:
https://wiki.php.net/rfc/is_literal#taint_checking https://wiki.php.net/rfc/is_literal#taint_checking

Aside: I'd have to wonder if ZSTR_IS_INTERNED (and the function to make an interned string) would make sense to expose in a PECL as a regular extension (not a zend_extension) if is_interned also fails.
Unlike the zend_extension for https://www.php.net/manual/en/function.is-tainted.php ,
something simple may be possible without needing the performance hit and
future conflicts with XDebug that I assume https://www.php.net/manual/en/function.is-tainted.php would be prone to.
(https://pecl.php.net/package/taint seems to use a separate bit to track this. The latest release of the Taint pecl fixes XDebug compatibility)

As noted above, we couldn't expose the Interned flag directly, as it's a little unpredictable. That's why we added a new flag - one that at first glance might look the same, but handles the edge cases.

Thanks again,
Craig

Le 7 sept. 2021 à 11:49, Craig Francis craig@craigfrancis.co.uk a écrit :

Obviously I'd still like libraries to be able to protect everyone from
introducing Injection Vulnerabilities (as the majority of programmers don't
use static analysis), but that's for another day.

Hi,

We all want to protect from injection vulnerability, but I think there are better way than is_literal.

One way is to use templates, an area where PHP is ironically lagging behind. I suggest looking at JS tagged templates:

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals

For example:

$qb->select('u')
->from('User', 'u')
->where('u.id = ' . $_GET['id']); // INSECURE
could be written as

<?php
$qb->exec SELECT u FROM User u WHERE u.id = %{ $_GET['id'] }
?>

where the part between %{ ... } is transformed into an SQL literal string (with delimiters "...", not just “escaping”) when it is a string; into the SQL expression NULL when it is null; into an SQL subexpression if it is an object (provided by the library) that represents a well-formed SQL subexpression, etc.

—Claude