Rock Solid Python with Python Typing Transcripts
Chapter: Typing in Python
Lecture: Avoiding Injection Attacks with LiteralString
Login or
purchase this course
to watch this video and the rest of the course contents.
0:00
This last feature is really powerful for security situations, especially around injection attacks.
0:08
So I've titled it ""Beware Little Bobby Tables"" and this comes to us from PEP 675. Arbitrary literal string types.
0:18
And so the idea is that some strings should not have arbitrary input. So let's imagine we have a database situation where we want to write a query.
0:30
We want to say the query is going to be select star from students where, notice how awesome
0:39
PyCharm is, it's decided that this is a SQL string inside and so it will auto-complete things like where, order by, and so on.
0:49
where name is like percent, percent something, what or even is exactly equal to, let's do exactly equal to, is equal to, and we'll change our quote
1:06
so I can put single quotes in here around their name in case there's spaces, student name. All right, well, where does student name come from?
1:18
Let's ask the user who is running our app. Hey, user, we can be real careful. This is a string and we're gonna say input.
1:25
What is the user's, what is the student's name? Right, now we could do this, but let me comment that out
1:33
and just explicitly set this to, you know, Robert Tables. So we'll print out the query and let's go ahead and run that.
1:41
Select star from students where name is equal to Robert Tables. Fantastic. This is good, right? And let's go ahead and be super clear here
1:49
that this is a string as well, 'cause it is. And we've got our highlighting here for SQL. There's a few warnings here
2:01
that we can change our global dialect to, let's say SQLite. We could also connect a database and it'll actually auto-complete the columns
2:11
and the tables, which is amazing, but we're not gonna do that. So here we've got a really good example
2:17
of how we can create a query and send it off to a database, and it's great. Let's try again. I won't redeclare the types, 'cause you shouldn't.
2:28
Let's say, imagine of having the input, having them type Robert Tables. What if they typed something way more creative?
2:37
What if they said, ""Well, the first thing we're gonna need to do is make sure this query is valid, and it accepts things like spaces and stuff,
2:45
So they're surely going to put a single quote here in order to make that valid. So we want to close off that quote like we did here.
2:56
Then we want to enter a new statement, a totally unrelated statement like drop table students or users or you know whatever. That's one statement.
3:07
Another one we want to run. And finally, let's comment out everything that comes after. Let's try that one. How's that going to work?
3:14
So run this valid but meaningless query, returns nothing. Now we run the query drop table students, yikes.
3:23
And then we're going to comment out the closing dash or order by or whatever happened to follow that we don't care about.
3:29
And it's a little bad, a little bit bad. And check out little Bobby tables from xkcd. It's amazing.
3:37
So what we would like to do in Python is express that this is not allowed.
3:42
You're not allowed to take arbitrary input from somewhere and combine it with this string because this string is protected against injection.
3:54
Let's comment this out here. And put that back as well as potentially this in a minute.
4:09
So now we can come down here and say that we get what the string is, we want to say that this is a typing dot literal string.
4:19
And what that means is, it cannot take arbitrary input. So down here, if we were to have in this case, like so, we should have an error here.
4:33
However, you can see that there's no real errors. I don't believe PyCharm or I don't know whether any of the other editors as well actually
4:42
run the check to make sure that this input is fixed. Rather, it should be another literal string like for example here.
4:54
This is fine if this is another typing dot literal string which just a constant string is, you can do this combination.
5:01
So this is allowed, but if this comes from the input, whereas it's like this, it shouldn't
5:07
be allowed and it'll show up as an error in the type that you shouldn't be able to combine
5:11
a literal string and a non, like a mutable user input string. You got to use something like mypy, one of those things to actually check for this error,
5:20
but you know, if it'll help you, why not go ahead and put this in here as a literal string, especially for the queries where you need it.
5:28
Because we all want to avoid this situation of little bobby tables.