String validation for untainting etc

[sebb <se...@gmail.com>]

There are several locations in the Whimsy code where strings are
validated against

/\A\w+\z/

This is applied to user names and LDAP group names / TLP ids.

However \w does not include '-', which is used in the above ids.

AFAICT, the main reason why the checks are done is to decide whether
to untaint or not. In which case, a generic RE such as

/\A[-\w]+\z/

*should* be sufficient for both users and groups.

However it might be good to define the RE as a library constant.
This would make it easy to change, as well as documenting what it is used for.

Does that make sense?

I think the constant would need to be defined in a stand-alone module
(i.e. not whimsy/asf) as the RE is needed in scripts that don't need
the rest of the asf library.

Where should that be put?

Re: String validation for untainting etc

[Sam Ruby <ru...@intertwingly.net>]

On Fri, Jun 9, 2017 at 5:41 AM, sebb <se...@gmail.com> wrote:
> There are several locations in the Whimsy code where strings are
> validated against
>
> /\A\w+\z/
>
> This is applied to user names and LDAP group names / TLP ids.
>
> However \w does not include '-', which is used in the above ids.
>
> AFAICT, the main reason why the checks are done is to decide whether
> to untaint or not. In which case, a generic RE such as
>
> /\A[-\w]+\z/
>
> *should* be sufficient for both users and groups.
>
> However it might be good to define the RE as a library constant.
> This would make it easy to change, as well as documenting what it is used for.
>
> Does that make sense?
>
> I think the constant would need to be defined in a stand-alone module
> (i.e. not whimsy/asf) as the RE is needed in scripts that don't need
> the rest of the asf library.
>
> Where should that be put?

If such a constant were placed in whimsy/asf/validation or somesuch,
those scripts that require whimy/asf could get it automatically, and
those that only need validation could require just this one part.

- Sam Ruby