Sanitise user input for a script

Discussion:

(too old to reply)

Simon Connah

2024-08-30 19:18:29 UTC

I need to write a script that will take some user input (supplied on a website) and then execute a Python script on a host via SSH. I'm curious what the best options are for protecting against malicious input in much the smae way as you sanitise SQL to protect against SQL injections.

I could do it either on the website itself or by doing it on the host machine.

I'm thinking of using argparse but I'm aware it does not offer any protection itself.

If someone has any suggestions I'd appreciated it. If you need more information then please let me know.

Simon.

Peter J. Holzer

2024-08-30 20:23:01 UTC

Permalink

Post by Simon Connah
I need to write a script that will take some user input (supplied on a
website) and then execute a Python script on a host via SSH. I'm
curious what the best options are for protecting against malicious
input in much the smae way as you sanitise SQL to protect against SQL
injections.

(Aside: Don't "sanitize" SQL. Use placeholders.)

Post by Simon Connah
I could do it either on the website itself or by doing it on the host
machine.

You will have to do it in the web site.

The SSH manual states:

| If supplied, the arguments will be appended to the command, separated by
| spaces, before it is sent to the server to be executed.

So whether you call
ssh myhost print_args a b c
or
ssh myhost print_args a "b c"
in both cases exactly the same string will be sent to myhost, and it
won't have any chance to distinguish them.

So you will either have to filter ("sanitize") the arguments or properly
quote them before invoking SSH.

Post by Simon Connah
If someone has any suggestions I'd appreciated it. If you need more
information then please let me know.

First, if there is any chance that your arguments can contain characters
with meaning to the shell (like an apostrophe in a name), get the
quoting correct. If you can, transmit those arguments in a different way
(e.g. as input, maybe just nul-separated, may as JSON, or whatever).

That removes the SSH-specific problems. There may still be problems with
the python script on the host.

Then, do all the validation you can on the web server. Reject all
requests which aren't valid. But be sure to check against the relevant
specifications, not your prejudices (You may not think that an
apostrophe in an email address is valid, but it is). Include meaningful
error messages (not just "input invalid"). Helping your legitimate users
is more important than slightly inconveniencing an attacker.

hp

Thomas Passin

2024-08-30 22:35:59 UTC

Permalink

Post by Simon Connah
I need to write a script that will take some user input (supplied on a website) and then execute a Python script on a host via SSH. I'm curious what the best options are for protecting against malicious input in much the smae way as you sanitise SQL to protect against SQL injections.

You should never, never, never "sanitize" SQL. Use prepared statements
instead.

What kind of user input do you expect to get that would need to be
"sanitized"? How are you going to use it such that malicious input might
cause trouble? I hope you aren't planning to exec() it. Are you
expecting a user to send in a script and your server will execute it?
Better read up on sandboxing, then.

If you won't be exec()ing a script, then you can consider creating an
API where each method of the API can only do limited things, and only
with certain parameters not all of all them. The SSH message can include
the name of the method to use.

And follow what Peter Holzer wrote. Don't forget that quoting practices
are not the same between Windows and Linux.

Post by Simon Connah
I could do it either on the website itself or by doing it on the host machine.
I'm thinking of using argparse but I'm aware it does not offer any protection itself.
If someone has any suggestions I'd appreciated it. If you need more information then please let me know.
Simon.

Simon Connah

2024-08-31 04:49:15 UTC

Permalink

Post by Thomas Passin

Post by Simon Connah
I need to write a script that will take some user input (supplied on a website) and then execute a Python script on a host via SSH. I'm curious what the best options are for protecting against malicious input in much the smae way as you sanitise SQL to protect against SQL injections.

You should never, never, never "sanitize" SQL. Use prepared statements
instead.

Yes. Sorry. I forgot what it was called and accidentally called it sanitising instead but I'm using prepared statements in psycopg 3 for SQL.

Post by Thomas Passin
What kind of user input do you expect to get that would need to be
"sanitized"? How are you going to use it such that malicious input might
cause trouble? I hope you aren't planning to exec() it. Are you
expecting a user to send in a script and your server will execute it?
Better read up on sandboxing, then.

No. I'm not planning on exec() a random script. I have a prepared Python script which configures various things. The web server connects to the server via SSH and runs my Python script which then runs commands like bhyve (FreeBSD) and it also does things like configure the firewall config file to change firewall rules. The customer has no direct access to the Python script.

In terms of arguments the script that deals with bhyve for instance takes arguments such as CPU count and RAM amount.

Post by Thomas Passin
If you won't be exec()ing a script, then you can consider creating an
API where each method of the API can only do limited things, and only
with certain parameters not all of all them. The SSH message can include
the name of the method to use.
And follow what Peter Holzer wrote. Don't forget that quoting practices
are not the same between Windows and Linux.

Thank you. I'll look into this. Makes sense.

Post by Thomas Passin

--
https://mail.python.org/mailman/listinfo/python-list

Simon Connah

2024-08-31 04:51:42 UTC

Permalink

Post by Peter J. Holzer

(Aside: Don't "sanitize" SQL. Use placeholders.)

Post by Simon Connah
I could do it either on the website itself or by doing it on the host
machine.

You will have to do it in the web site.
| If supplied, the arguments will be appended to the command, separated by
| spaces, before it is sent to the server to be executed.
So whether you call
ssh myhost print_args a b c
or
ssh myhost print_args a "b c"
in both cases exactly the same string will be sent to myhost, and it
won't have any chance to distinguish them.
So you will either have to filter ("sanitize") the arguments or properly
quote them before invoking SSH.

Post by Simon Connah
If someone has any suggestions I'd appreciated it. If you need more
information then please let me know.

First, if there is any chance that your arguments can contain characters
with meaning to the shell (like an apostrophe in a name), get the
quoting correct. If you can, transmit those arguments in a different way
(e.g. as input, maybe just nul-separated, may as JSON, or whatever).
That removes the SSH-specific problems. There may still be problems with
the python script on the host.
Then, do all the validation you can on the web server. Reject all
requests which aren't valid. But be sure to check against the relevant
specifications, not your prejudices (You may not think that an
apostrophe in an email address is valid, but it is). Include meaningful
error messages (not just "input invalid"). Helping your legitimate users
is more important than slightly inconveniencing an attacker.

Thank you very much. That is very useful.

Simon.