You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@whimsical.apache.org by sebb <se...@gmail.com> on 2017/06/09 09:41:40 UTC
String validation for untainting etc
There are several locations in the Whimsy code where strings are
validated against
/\A\w+\z/
This is applied to user names and LDAP group names / TLP ids.
However \w does not include '-', which is used in the above ids.
AFAICT, the main reason why the checks are done is to decide whether
to untaint or not. In which case, a generic RE such as
/\A[-\w]+\z/
*should* be sufficient for both users and groups.
However it might be good to define the RE as a library constant.
This would make it easy to change, as well as documenting what it is used for.
Does that make sense?
I think the constant would need to be defined in a stand-alone module
(i.e. not whimsy/asf) as the RE is needed in scripts that don't need
the rest of the asf library.
Where should that be put?
Re: String validation for untainting etc
Posted by Sam Ruby <ru...@intertwingly.net>.
On Fri, Jun 9, 2017 at 5:41 AM, sebb <se...@gmail.com> wrote:
> There are several locations in the Whimsy code where strings are
> validated against
>
> /\A\w+\z/
>
> This is applied to user names and LDAP group names / TLP ids.
>
> However \w does not include '-', which is used in the above ids.
>
> AFAICT, the main reason why the checks are done is to decide whether
> to untaint or not. In which case, a generic RE such as
>
> /\A[-\w]+\z/
>
> *should* be sufficient for both users and groups.
>
> However it might be good to define the RE as a library constant.
> This would make it easy to change, as well as documenting what it is used for.
>
> Does that make sense?
>
> I think the constant would need to be defined in a stand-alone module
> (i.e. not whimsy/asf) as the RE is needed in scripts that don't need
> the rest of the asf library.
>
> Where should that be put?
If such a constant were placed in whimsy/asf/validation or somesuch,
those scripts that require whimy/asf could get it automatically, and
those that only need validation could require just this one part.
- Sam Ruby