The Anti pattern
-
Upload
blaufish -
Category
Technology
-
view
266 -
download
0
description
Transcript of The Anti pattern
The Anti-Pattern
80%
The Anti-Pattern
input = GET[ “username” ]
statement = “code “ + input
execute( statement )
The Anti-Pattern
• sql• ldap• eval• response.write• file.open• reflection• control.the.computer
INPUT
EXECUTE
Anti-AntiPatterns
Code not Text!
Text query languages suck.
Critera & Entity API: WIN
Code not Text
Root<Pet> pet = cq.from(Pet.class)cq.where(cb.equals(pet.get(Pet_.name), input))
s = “SELECT FROM pet WHERE pet.name =“ + inputexecuteSQL( s )
Fear String.Concat
Parameterized Queries: use wildcards instead of concatenating user input
Remove String.Concat
s = “SELECT FROM pet WHERE pet.name = @name“ps = prepare( s )ps.bind(“@name”, input)
s = “SELECT FROM pet WHERE pet.name =“ + inputexecuteSQL( s )
Defensein depth
INPUT
EXECUTE
GUARD Exception
Defense in Depth
input = GET[ “username” ]
if (whitelist.bad( input )) { secLog(“reject…”) throw new Exception()}
Summary
• Most common security coding vulns are variants of the same anti-pattern
• Use easy safe-by-design API– Entity & Criteria API – SQLi is hard =)
• Fear String.Concat– String operations are the mother of all evil– Parameterize if you must stick to text!
• Defend in Depth! – The anti-pattern can also be broken by input
validation.