[Catalyst] Input/Parameter Checks

Thu Dec 13 22:30:16 GMT 2007

I use DBIC with catalyst and even in cases I don't use DBIC I always use
placeholders. However I still don't think thats a strong solution or at
least it doesnt help me sleep better. I have still seen cases when I
have used placeholders and the input variable still ended up escaping
something and the query would break or data would be inserted partially.
I cant remember for sure but I think it was with a value of  'C:\' with
the single quotes like it is there. But not sure if that was the case or
not I just remember I had to use the quotesql method before I could pass
that variable to interopelate into the execute command. 

Also there is params that are not just in the form but also in the URL
that can get passed to catalyst. Ideally I would think to be safe and
consistant it might be a best practice to write a wrapper around the
various validation and checks that can be done and include that in your
catalyst app so you can call the wrapper methods to do the checks for
you. I just see so many exploits on a daily basis for web apps that I am
on the paranoid side and don't usually trust basic checks like variable
place holders in dbi or dbic. But its possible those worries are totally
unfounded.

Thanks,
------------------------------------------
Ali Mesdaq (CISSP, GIAC-GREM)
Security Researcher II
Websense Security Labs
http://www.WebsenseSecurityLabs.com
------------------------------------------

-----Original Message-----
From: John Napiorkowski [mailto:jjn1056 at yahoo.com] 
Sent: Thursday, December 13, 2007 1:41 PM
To: The elegant MVC web framework
Subject: Re: [Catalyst] Input/Parameter Checks

--- "Mesdaq, Ali" <amesdaq at websense.com> wrote:

> Anyone have some suggestions or references to good modules or best 
> practices in this regards? This is mainly in regards to using these 
> inputs in sql queries or other areas where common attacks against web 
> applications happen. I wonder in the catalyst world what best 
> practices are. Would it be a catalyst plugin that would best fit that 
> role or a module that gets used in the controller possibly maybe just 
> some code in the model? It just feels like its one of those things 
> that has been solved by someone else way better than I would have done

> it and I am just not aware of it. Kinda like when I wrote my own 
> logging module because at the time I didn't find a good one then I 
> stumble accross log4perl and realize how badly I wasted my time!
> 
> Thanks,
> ------------------------------------------
> Ali Mesdaq (CISSP, GIAC-GREM)
> Security Researcher II
> Websense Security Labs
> http://www.WebsenseSecurityLabs.com
> ------------------------------------------

Hi,

You have a couple of questions here.  First of all,
for  hardening your SQL, I recommend you use an ORM,
like DBIx:Class or Rose::DB to act as a layer between
your front end code (collecting form params, for
instance, typically in your controller) and the actual
database.  DBIC (shorthand for DBIx::Class)
automatically uses bind parameters, which helps a lot
with the SQL inject style attacks.

For parameter checking, there's a bunch of stuff
floating around.  Please do a quick search of the
recent archives, you'll find someone asking a similar
question with a lot of discussion following.  My
personal choice for form validation is the system
based on HTML::FormFu, which integrates nicely with
Catalyst.     There is a reasonably active mailing
list as well and tons of documentation and examples. 
But your results may be better served by other things,
my opinion is far from canonical.

--john

________________________________________________________________________
____________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 

_______________________________________________
List: Catalyst at lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive:
http://www.mail-archive.com/catalyst@lists.rawmode.org/
Dev site: http://dev.catalyst.perl.org/

 TO REPORT THIS AS SPAM, PLEASE CLICK THE FOLLOWING LINK: 
https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==
s8WLBdegZqu0wt9pgnuPw6wl0cfc3FOTSj3Rktko5qRAFVm6k1y9KKPTtdPjmqEzO49riMeS
bp!3SjWuzjoT7Sh!wb9c90w7QShf6Bw+PxJ0CBxcCvEfU7rz1b6D4F7WWWk5rG+Kjt!B4Nhy
!SIC4hksddxQMr9C3VSBKtqujQEyPilqFlGO8fw  

 Protected by Websense Messaging Security ? www.websense.com 