You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/Secure-Coding-Guide-for-Python/CWE-693/CWE-184/README.md
+12-21Lines changed: 12 additions & 21 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ Avoid Incomplete 'deny lists' that can lead to security vulnerabilities such as
6
6
7
7
The `noncompliant01.py` code demonstrates the difficult handling of exclusion lists in a multi language support use case. `UTF-8` has __1,112,064__ mappings between `8-32` bit values and printable characters such as `生` known as "code points".
8
8
9
-
The `noncompliant01.py``filterString()` method attempts to search for disallowed input is leading to an incomplete list of disallowed input due to the non-English character `生` in `<script生>`.
9
+
The `noncompliant01.py``filterString()` method attempts to search for disallowed inputs and fails to find the `script` tag due to the non-English character `生` in `<script生>`.
10
10
11
11
*[noncompliant01.py](noncompliant01.py):*
12
12
@@ -48,22 +48,12 @@ names = [
48
48
for name in names:
49
49
print(name)
50
50
filter_string(name)
51
-
```
52
-
53
-
The `noncompliant01.py` code will print all lines of strings including the one `<script生>`. Different ways and sequencing of canonicalizing or normalizing the user provided data as explained in [CWE-180: Incorrect Behavior Order: Validate Before Canonicalize](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-180), can turn `<script生>` into `<script>` either in the backend, or on the clients front-end browser.
54
51
55
-
__Example `noncompliant01.py` output:__
56
-
57
-
```bash
58
-
YES 毛泽东先生
59
-
YES dash-
60
-
NOK <script>
61
-
NOK <script生>
62
52
```
63
53
64
54
## Compliant Solution
65
55
66
-
The `compliant01.py` uses an allow list instead of deny list and prevents the use of unwanted characters by raising an exception even without canonicalize. The missing canonicalize in `compliant01.py` according to [CWE-180: Incorrect Behavior Order: Validate Before Canonicalize](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-180), and must be added in order to make logging or displaying them safe!
56
+
The `compliant01.py` uses an allow list instead of a deny list and prevents the use of unwanted characters by raising an exception even without canonicalization. The missing canonicalization in `compliant01.py` according to [CWE-180: Incorrect Behavior Order: Validate Before Canonicalize](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-180) must be added in order to make logging or displaying them safe!
0 commit comments