
The Most Expensive Anti-Pattern - dsego
http://m1el.github.io/printf-antipattern
======
z3t4
When you start to treat HTML as element nodes and child-nodes instead of
"strings" things get not only more secure but also much easier to maintain.
Use node.appendChild and document.createTextNode! Code example:

    
    
      function myButton(parentNode) {
        var button = document.createElement("button");
        button.appendChild(document.createTextNode("Click me"));
        parentNode.appendChild(button);
    
        button.onclick = function click() {
          button.appendChild(document.createTextNode(" more!"));
        }
      }

------
AYBABTME
The funniest example is the one involving `jq` which could have safely
manipulated the JSON in one shot, instead of piping this into `sed` & `grep` &
`awk`.

jq: bestest tool ever
([https://stedolan.github.io/jq/](https://stedolan.github.io/jq/))

------
MaulingMonkey
I see these all as type errors enabled by having a single unified string type
for all things.

Something as simple as forcing mysql_query to accept only literal strings,
forbidding dynamically constructed strings, would change it from an API so
unsafe by design that PHP deprecated it - and then removed it - into something
relatively safe.

~~~
DCoder
Where do you draw the line at "dynamically constructed strings"? Do I need to
duplicate the whole query to another literal just to change the sort field?

See also: Perl has a "taint mode" [1] which marks all variables receiving
external data as "tainted" and disallows their usage in sensitive contexts.
PHP has an inactive proposal to implement it as well [2].

[1] [http://perldoc.perl.org/perlsec.html#Taint-
mode](http://perldoc.perl.org/perlsec.html#Taint-mode)

[2] [https://wiki.php.net/rfc/taint](https://wiki.php.net/rfc/taint)

~~~
apathy
This is actually a great idea from Perl. Essentially an anti-monad. Somehow it
doesn't surprise me that the php proposal is inactive (asterisk).

I haven't the foggiest idea what people do today in php but if they don't used
cached templates everywhere I will be sad.

Even back then we serialized into and "rehydrated" out of memcached and the
database (which memcached pulled from on cache misses). It's honestly more of
a pain in the ass NOT to use serialized data structures in the long run. It's
a good habit that is hard to break once established :-)

As far as AST manipulation. Heh. Betcha 9 out of 10 front end programmers have
never written a compiler in their life. Again a good habit (somehow this topic
always loops around to either lisp or Parsec) but a bit harder to establish.
Template metaprogramming is a great way to get in a logit of trouble fast
unless you know exactly what you're doing, IMHO.

(asterisk) wrote and sold a website in php. I don't judge people by their
tools. But a lot of things about php sucked, at least 10 years ago when I
stopped needing to write it.

~~~
closeparen
>This is actually a great idea from Perl. Essentially an anti-monad.

This is an old and deep idea in computer security.

DoD was (is?) interested in systems where, i.e. if a process reads a Top
Secret document, then the OS enforces that it can longer write to merely
Secret or Unclassified files/IO devices. That way, even a fully compromised
process dealing in Top Secret files can't exfiltrate them to a less secure
place.

It turns out that in systems designed around this "taint" (they call it
"label") construct, _everything_ tends to collect the taint/labels, so things
having taint can't be restricted very much or the program can't do anything
useful.

I'm in the middle of this security engineering textbook [0] and I love it.

[0] [https://www.safaribooksonline.com/library/view/security-
engi...](https://www.safaribooksonline.com/library/view/security-
engineering-a/9780470068526/)

~~~
yellowapple
Tainting is best used for detecting cases where the string in question is both
dangerous (e.g. being `eval`ed) and derived from external inputs.

I remember being scolded while working my first "real" programming job
becaused I used `eval` in a Ruby on Rails codebase (I don't remember the
specifics; I think I was trying to hack something together because the
controller setup was weird and I was struggling with the "Rails Way™"). Using
a quick `eval` to generate the intended code on-the-fly seemed reasonable to
me, having previously been intimiately familiar with Perl (where the dangers
of `eval` are mostly mitigated thanks to tainting).

I subsequently learned to embrace Ruby's more robust metaprogramming
facilities, and have since come to appreciate the value (and danger) of macros
in languages like Lisp and Elixir, but I still found it interesting that
features like tainting aren't more widespread (or if they are, they're not
advertised very well).

------
homakov
I call "printf antipattern" format injection e.g.
[http://sakurity.com/blog/2015/03/03/duo_format_injection.htm...](http://sakurity.com/blog/2015/03/03/duo_format_injection.html)

------
tel
Stringly-typed programming considered harmful.

------
scotty79
There should be just html and sql datatypes. They should have own literals and
any string converted to html or sql or glued to them should be properly auto-
escaped. You could still mess things up if someone malforms literal but it
could help with 99% of usual vulnerabilities.

------
SippinLean
Better solution for the "Nearly every PHP web-site in existence" example? (I
don't know what Hippo is)

------
SimeVidas
What different serialization format? I thought serialization == string.

~~~
Someone
serialization == convert to a byte stream.

The byte stream can be a character stream in whatever encoding or a binary
one.

[https://en.wikipedia.org/wiki/Comparison_of_data_serializati...](https://en.wikipedia.org/wiki/Comparison_of_data_serialization_formats)
lists lots of binary serialization formats.

~~~
SimeVidas
I see. Thanks!

