• Sanitise user input for a script

    From Simon Connah@3:633/280.2 to All on Sat Aug 31 05:18:29 2024
    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------3799dd36afc264420b5b72f92c3d78da556b04024bc702f9c72563836027c757 Content-Type: multipart/mixed;boundary=---------------------7f78155699e4b71dd1f43bbeb806ea1b

    -----------------------7f78155699e4b71dd1f43bbeb806ea1b Content-Transfer-Encoding: quoted-printable
    Content-Type: text/plain;charset=utf-8

    I need to write a script that will take some user input (supplied on a web= site) and then execute a Python script on a host via SSH. I'm curious what=
    the best options are for protecting against malicious input in much the s=
    mae way as you sanitise SQL to protect against SQL injections.

    I could do it either on the website itself or by doing it on the host mach= ine.

    I'm thinking of using argparse but I'm aware it does not offer any protect=
    ion itself.

    If someone has any suggestions I'd appreciated it. If you need more inform= ation then please let me know.

    Simon.
    -----------------------7f78155699e4b71dd1f43bbeb806ea1b--

    --------3799dd36afc264420b5b72f92c3d78da556b04024bc702f9c72563836027c757 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature
    Content-Disposition: attachment; filename="signature.asc"

    -----BEGIN PGP SIGNATURE-----
    Version: ProtonMail

    wnUEARYKACcFgmbSGvkJkFrvKC74ta6lFiEEXOYF9uqFRn4815bYWu8oLvi1 rqUAAOgEAP9O7AbTQdJSny1dPyVdVs53xwfKdpwWmxRYjpNrS6Gh1QD8Cmx7 uawuYvSGsf5icNgIbAPGX1E1mWI00CnngjZQBA4=
    =l2NH
    -----END PGP SIGNATURE-----


    --------3799dd36afc264420b5b72f92c3d78da556b04024bc702f9c72563836027c757--


    --- MBSE BBS v1.0.8.4 (Linux-x86_64)
    * Origin: ---:- FTN<->UseNet Gate -:--- (3:633/280.2@fidonet)
  • From Peter J. Holzer@3:633/280.2 to All on Sat Aug 31 06:23:01 2024

    --wzhthcyhhydbfge4
    Content-Type: text/plain; charset=us-ascii
    Content-Disposition: inline
    Content-Transfer-Encoding: quoted-printable

    On 2024-08-30 19:18:29 +0000, Simon Connah via Python-list wrote:
    I need to write a script that will take some user input (supplied on a website) and then execute a Python script on a host via SSH. I'm
    curious what the best options are for protecting against malicious
    input in much the smae way as you sanitise SQL to protect against SQL injections.

    (Aside: Don't "sanitize" SQL. Use placeholders.)


    I could do it either on the website itself or by doing it on the host machine.

    You will have to do it in the web site.

    The SSH manual states:

    | If supplied, the arguments will be appended to the command, separated by
    | spaces, before it is sent to the server to be executed.

    So whether you call=20
    ssh myhost print_args a b c
    or
    ssh myhost print_args a "b c"
    in both cases exactly the same string will be sent to myhost, and it
    won't have any chance to distinguish them.

    So you will either have to filter ("sanitize") the arguments or properly
    quote them before invoking SSH.

    If someone has any suggestions I'd appreciated it. If you need more information then please let me know.

    First, if there is any chance that your arguments can contain characters
    with meaning to the shell (like an apostrophe in a name), get the
    quoting correct. If you can, transmit those arguments in a different way
    (e.g. as input, maybe just nul-separated, may as JSON, or whatever).=20

    That removes the SSH-specific problems. There may still be problems with
    the python script on the host.

    Then, do all the validation you can on the web server. Reject all
    requests which aren't valid. But be sure to check against the relevant specifications, not your prejudices (You may not think that an
    apostrophe in an email address is valid, but it is). Include meaningful
    error messages (not just "input invalid"). Helping your legitimate users
    is more important than slightly inconveniencing an attacker.

    hp


    --=20
    _ | Peter J. Holzer | Story must make more sense than reality.
    |_|_) | |
    | | | hjp@hjp.at | -- Charles Stross, "Creative writing
    __/ | http://www.hjp.at/ | challenge!"

    --wzhthcyhhydbfge4
    Content-Type: application/pgp-signature; name="signature.asc"

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEETtJbRjyPwVTYGJ5k8g5IURL+KF0FAmbSKiEACgkQ8g5IURL+ KF21pxAAiAPlIx7naxgvFb+1FXpKZSHb7ARDj9lhsY9CJMqZNA/gPio7jZPWvLgB 6FSDdDZ6wX4pV8QhaDdwj0bWpulEUf9xo3/bZ7bgd5gLaiZbSOYPG1na9W4dhPhs hFKn4K+Oq9tFBvPUz/xGCXxtvJwlHelXQQTgyR1JpoIzmGwJUyvRqIwJ1AL9oJf3 o2mqgU8Ax7zIrccTxA4VkyVjz4bYlHAuQ+mryqkFyRloHRlCcZwAX7oHFqgwV0ly FCnsHrqLCbs27ZDO/52wsEqB/iVFqw4EhQvBAlByJFfkUoTngVOZ1m2FLhdxRdal MLCPlmpxemIpp/g+HG/Xr17fMpur7op8gToNEkl9SS1V7ak/Qgghv48QnX/DIYms FVX80g7BY3nR3CZ1N3eIZ2lNaMERaSNvag3Qx+qs52rtuvs5C7fcpIO/5o2N5J0Y lbaHXpCh+ZHG/VPpnXOmc15NgsF4tuCekfiYIuF3q95P05XHmIsALDQyXhioeRxd +Q/vAD6ZCl7ZyfoFtI4Eca6b5Hd8SHklRAKg1lJ6Q40cxIrALNPWpc7Z+64hfX7B 1ttgPBU2lgeLqqvQY+wNknSXia1g1sR6QvtcZ2/AumUiQiGtEuA80jwHY3bfjfrZ VUYXmtLKknxPq9hreXOMNCALL9E4jLUbLWFKrCYVrTxbziDGbdo=
    =4+rh
    -----END PGP SIGNATURE-----

    --wzhthcyhhydbfge4--

    --- MBSE BBS v1.0.8.4 (Linux-x86_64)
    * Origin: ---:- FTN<->UseNet Gate -:--- (3:633/280.2@fidonet)
  • From Simon Connah@3:633/280.2 to All on Sat Aug 31 14:49:15 2024
    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------c54bfc74c424e5b8ead469eefae8348a2c9c979e01024beaf0e1665e5bcdcac9 Content-Type: multipart/mixed;boundary=---------------------842b1bc04dbf1817b8a31b4d62dc2949

    -----------------------842b1bc04dbf1817b8a31b4d62dc2949 Content-Transfer-Encoding: quoted-printable
    Content-Type: text/plain;charset=utf-8

    On Friday, 30 August 2024 at 23:35, Thomas Passin via Python-list <python-= list@python.org> wrote:

    =


    =


    On 8/30/2024 3:18 PM, Simon Connah via Python-list wrote:
    =


    I need to write a script that will take some user input (supplied on a=
    website) and then execute a Python script on a host via SSH. I'm curious = what the best options are for protecting against malicious input in much t=
    he smae way as you sanitise SQL to protect against SQL injections.
    =


    =


    You should never, never, never "sanitize" SQL. Use prepared statements instead.

    Yes. Sorry. I forgot what it was called and accidentally called it sanitis=
    ing instead but I'm using prepared statements in psycopg 3 for SQL.

    =


    What kind of user input do you expect to get that would need to be "sanitized"? How are you going to use it such that malicious input might cause trouble? I hope you aren't planning to exec() it. Are you
    expecting a user to send in a script and your server will execute it?
    Better read up on sandboxing, then.

    No. I'm not planning on exec() a random script. I have a prepared Python s= cript which configures various things. The web server connects to the serv=
    er via SSH and runs my Python script which then runs commands like bhyve (= FreeBSD) and it also does things like configure the firewall config file t=
    o change firewall rules. The customer has no direct access to the Python s= cript.

    In terms of arguments the script that deals with bhyve for instance takes = arguments such as CPU count and RAM amount.

    =


    If you won't be exec()ing a script, then you can consider creating an
    API where each method of the API can only do limited things, and only
    with certain parameters not all of all them. The SSH message can include
    the name of the method to use.
    =


    And follow what Peter Holzer wrote. Don't forget that quoting practices
    are not the same between Windows and Linux.

    Thank you. I'll look into this. Makes sense.

    =


    I could do it either on the website itself or by doing it on the host =
    machine.
    =


    I'm thinking of using argparse but I'm aware it does not offer any pro=
    tection itself.
    =


    If someone has any suggestions I'd appreciated it. If you need more in=
    formation then please let me know.
    =


    Simon.
    =


    =


    --
    https://mail.python.org/mailman/listinfo/python-list
    -----------------------842b1bc04dbf1817b8a31b4d62dc2949--

    --------c54bfc74c424e5b8ead469eefae8348a2c9c979e01024beaf0e1665e5bcdcac9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature
    Content-Disposition: attachment; filename="signature.asc"

    -----BEGIN PGP SIGNATURE-----
    Version: ProtonMail

    wnUEARYKACcFgmbSoMIJkFrvKC74ta6lFiEEXOYF9uqFRn4815bYWu8oLvi1 rqUAALg+AQDeCK9ByjWFEceGlk0LFixk3iiH2AtYX9R7ldwcZrUqKgD/a633 A7uuyr8pNOmAmj9WI7Kk7JZMC9vFq6ocvlFsnw4=
    =qeaa
    -----END PGP SIGNATURE-----


    --------c54bfc74c424e5b8ead469eefae8348a2c9c979e01024beaf0e1665e5bcdcac9--


    --- MBSE BBS v1.0.8.4 (Linux-x86_64)
    * Origin: ---:- FTN<->UseNet Gate -:--- (3:633/280.2@fidonet)
  • From Simon Connah@3:633/280.2 to All on Sat Aug 31 14:51:42 2024
    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------b965b0b5adc3fe9cc8990fe7d25ed24ab59fa7b52d5c9b5303ab71b5117b0a19 Content-Type: multipart/mixed;boundary=---------------------e3e22f073f4327aa09c51f94b1ee84cb

    -----------------------e3e22f073f4327aa09c51f94b1ee84cb Content-Transfer-Encoding: quoted-printable
    Content-Type: text/plain;charset=utf-8

    On Friday, 30 August 2024 at 21:23, Peter J. Holzer via Python-list <pytho= n-list@python.org> wrote:

    =


    =


    On 2024-08-30 19:18:29 +0000, Simon Connah via Python-list wrote:
    =


    I need to write a script that will take some user input (supplied on a website) and then execute a Python script on a host via SSH. I'm
    curious what the best options are for protecting against malicious
    input in much the smae way as you sanitise SQL to protect against SQL injections.
    =


    =


    (Aside: Don't "sanitize" SQL. Use placeholders.)
    =


    I could do it either on the website itself or by doing it on the host machine.
    =


    =


    You will have to do it in the web site.
    =


    The SSH manual states:
    =


    | If supplied, the arguments will be appended to the command, separated =
    by
    | spaces, before it is sent to the server to be executed.
    =


    So whether you call
    ssh myhost print_args a b c
    or
    ssh myhost print_args a "b c"
    in both cases exactly the same string will be sent to myhost, and it
    won't have any chance to distinguish them.
    =


    So you will either have to filter ("sanitize") the arguments or properly quote them before invoking SSH.
    =


    If someone has any suggestions I'd appreciated it. If you need more information then please let me know.
    =


    =


    First, if there is any chance that your arguments can contain characters
    with meaning to the shell (like an apostrophe in a name), get the
    quoting correct. If you can, transmit those arguments in a different way (e.g. as input, maybe just nul-separated, may as JSON, or whatever).
    =


    That removes the SSH-specific problems. There may still be problems with
    the python script on the host.
    =


    Then, do all the validation you can on the web server. Reject all
    requests which aren't valid. But be sure to check against the relevant specifications, not your prejudices (You may not think that an
    apostrophe in an email address is valid, but it is). Include meaningful
    error messages (not just "input invalid"). Helping your legitimate users
    is more important than slightly inconveniencing an attacker.
    =



    Thank you very much. That is very useful.

    Simon.
    -----------------------e3e22f073f4327aa09c51f94b1ee84cb--

    --------b965b0b5adc3fe9cc8990fe7d25ed24ab59fa7b52d5c9b5303ab71b5117b0a19 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature
    Content-Disposition: attachment; filename="signature.asc"

    -----BEGIN PGP SIGNATURE-----
    Version: ProtonMail

    wnUEARYKACcFgmbSoVUJkFrvKC74ta6lFiEEXOYF9uqFRn4815bYWu8oLvi1 rqUAAJJSAQDdei1dHrY4PIOGBRbGrAcXlCVFP+58t9Ldkxoh8hdA2gEA5Feb Rnrgcw50BOX6gCzNf2DiSOaogxfHsA2XUA4BCw0=
    =9fOs
    -----END PGP SIGNATURE-----


    --------b965b0b5adc3fe9cc8990fe7d25ed24ab59fa7b52d5c9b5303ab71b5117b0a19--


    --- MBSE BBS v1.0.8.4 (Linux-x86_64)
    * Origin: ---:- FTN<->UseNet Gate -:--- (3:633/280.2@fidonet)