diff --git a/docs/labs/format-strings.html b/docs/labs/format-strings.html new file mode 100644 index 00000000..7c338eb6 --- /dev/null +++ b/docs/labs/format-strings.html @@ -0,0 +1,136 @@ + + + + + + + + + + + + + + + + + + + + + +
+

Lab Exercise Format Strings and Templates

+

+This is a lab exercise on developing secure software. +For more information, see the introduction to +the labs. + +

+

Task

+

+Practice using string templates in a secure way. + +

+

Background

+

+In this exercise, we'll adjust our string formatting so that it doesn't allow a user to control +the +format string. If a user can control the format string they can access +variables which they shouldn't. Particularly if those variable's values can be returned to the user +as output, it could lead to information disclosure beyond what was intended by the developer. + +

+

Task Information

+

+ +

+Please change the code below so the string formatting cannot disclose arbitrary +program values. The server-side program is written in Python and allows a user to specify a +format string to control the output format of an event. + +

+You could adjust the program so that it only formats the event, and does not include any user input, +However it is considered safe to include user input in the output as long as they cannot control +the format string itself. + +

+Adjust the value returned by the format_event function so the the user controlled +user_input variable is only used as a +replacement field +and is not used as the format string. + +

+Use the “hint” and “give up” buttons if necessary. + +

+

Interactive Lab ()

+

+

+
 # Application configuration which should be kept secret from a user
+CONFIG = {
+    'SECRET_KEY': 'super secret key'
+}
+
+# A event object with a single attribute used by the malicious format string to gain access to the
+# secret application configuration below
+class Event(object):
+    def __init__(self, level):
+        self.level = level
+
+def format_event(user_input, event):
+
+
+event = Event('level')
+format_event('{event.__init__.__globals__[CONFIG][SECRET_KEY]}', event)
+
+ + + +

+

+This lab was developed by Jason Shepherd at +Red Hat. with an modified version of the example code from Armin Ronacher's +Be Careful with Python's New-Style String Format article. +

+

+ +

+
+ +