This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "SpoC 007 - Inspekt"
Line 64: | Line 64: | ||
</pre> | </pre> | ||
+ | === Bootstrap file example === | ||
+ | <pre> | ||
+ | <?php | ||
+ | // standard bootstrap file | ||
+ | require '/path/to/inputfilterclass.php'; | ||
+ | $if = new InputFilter(); | ||
+ | $if->loadConfig('/path/to/configfile/inputfilter.conf'); | ||
+ | $if->buildStandardFilters(); // builds from $_GET, $_POST, $_COOKIE, $_SERVER | ||
+ | |||
+ | // the make*Filter methods use a singleton pattern to retrieve prebuilt filter objects | ||
+ | $f_post = $if->makePostFilter(); | ||
+ | $f_get = $if->makeGetFilter(); | ||
+ | $f_cookie = $if->makeCookieFilter(); | ||
+ | $f_server = $if->makeServerFilter(); | ||
+ | |||
+ | // $_POST, $_GET, $_COOKIE and $_SERVER are now all NULL | ||
+ | // Only way to access this data is via the $f_* objects | ||
+ | |||
+ | ?> | ||
+ | </pre> | ||
Revision as of 12:17, 14 July 2007
'Back to SpoC 007 Selection page
AoC Candidate: EdFinkler
Project coordinator: Dinis Cruz
Project Progress: 0% Complete, Progress Page
EdFinkler - Inspekt: Input filtering and validation library for PHP
About Me
I received a Bachelor's Degree in English from Indiana University in 1997. I've been a web developer since 1996, and a PHP developer since 1999. I worked for four years as Supervisor of Web Development at Golden Dome Media, and have spent my last six years as Web and Security Archive Administrator for CERIAS, the Center for Education and Research in Information Assurance and Security, at Purdue University.
I am a member of the PHP Security Consortium, and creator/project lead on PHPSecInfo, a PHP environment security auditing tool. I regularly speak on web application security issues, and am an advocate of secure programming practices via CERIAS and as a member of the PHP and larger web development community.
The state of PHP application development
The state of application development in PHP is worrisome. Reviewing the NIST NVD data from 2006 reveals that over 40% of all vulnerabilities reported were PHP application vulnerabilities -- not vulnerabilities in the language itself, but errors in proper coding practice. I believe that to address the widespread problem of insecure PHP application development, new development paradigms are required. The typical approach of easy, direct interaction with input is inherently problematic, even for a programmer with strong security practices. The developer should be forced to consider his or her expectations for the data, and apply appropriate filtering/validation to ensure that those expectations are correct. For the cases where raw input is required, the developer should be forced to demonstrate clear intent, much moreso than simply using the assignment operator. This will, I believe, make it easier to develop secure applications in PHP, and harder to develop insecure ones.
Creating a new paradigm
We have a strong foundation for a new paradigm in Zend_Filter_Input, a component of the Zend Framework developed by PHP security expert Chris Shiflett. Disappointingly, the component was dropped from the framework, a move I and many others strongly disagreed with. After some discussions with Chris and others, I feel that the best approach would be to resurrect Zend_Filter_Input, making it framework-independent and addressing existing limitations.
The details and examples
Essentially, this system would act as a sort of "firewall" API between user input and the rest of the application. By default, the constructor would take an array, assign it to an internal property, and set the passed array to NULL. By setting up filter objects from the standard user input superglobals, developers would be forced to access all data via the filter system's API. A developer must demonstrate clear intent in order to get unfiltered data.
Usage examples
Note that in these examples, I've used the name "InputFilter" for the filter system. This will likely change when I can come up with something snazzier.
// Typical ZFI-style usage $f_post = new InputFilter($_POST); // $_POST['searchtext'] == "<strong>hello</strong>"; $comment = $f_post->noTags('comment'); // $comment === "hello"; $comment_raw = $f_post->getRaw('comment'); //$comment_raw === "<strong>hello</strong>"; // makePostFilter would be a helper method that retrieves the $_POST array, // wraps the data in an InputFilter, and nullifies the $_POST array $f_post = InputFilter::makePostFilter(); // get email if ( $email = $f_post->isEmail('email') ) { echo "Valid email address"; } else { echo "Not a valid email address"; } // automatically strip all html tags and bbcode tags from POST input. // This kind of input restriction would also be configurable via // external conf files $restrictions = array('noHTML','stripBBCode'); $f_post = InputFilter::makePostFilter($restrictions);
Bootstrap file example
<?php // standard bootstrap file require '/path/to/inputfilterclass.php'; $if = new InputFilter(); $if->loadConfig('/path/to/configfile/inputfilter.conf'); $if->buildStandardFilters(); // builds from $_GET, $_POST, $_COOKIE, $_SERVER // the make*Filter methods use a singleton pattern to retrieve prebuilt filter objects $f_post = $if->makePostFilter(); $f_get = $if->makeGetFilter(); $f_cookie = $if->makeCookieFilter(); $f_server = $if->makeServerFilter(); // $_POST, $_GET, $_COOKIE and $_SERVER are now all NULL // Only way to access this data is via the $f_* objects ?>
Back to SpoC 007 Selection page
Most info about Inspekt, including usage docs and downloads, is available at the Inspekt Google Code page.
Milestones
- (Completed) Untethering the Zend_Filter_Input code from the Zend Framework
- (Completed) Rewriting PHP5-specific portions to work in PHP4
- (Completed) Development of approach to address scoping issues (a big plus of the $_* superglobals is that they are always available in all scopes automatically)
- (Completed) Initial release of code (continues throughout at appropriate points)
- (Completed) Addition of a variety of "helper" methods to make filtered input object creation and interaction easier
- Addition of automatic input "restriction" filters
- Addition of input filtering system configuration via external config files
- (Completed) Full API doc generated from phpDoc-style documentation
- (25%) Detailed usage documentation, including examples of bootstrapping and methods of integration with various frameworks. Example source code included.
- PEAR channel for packaged distribution
Ongoing Work
- Advocacy. PR via interviews and news items about releases; writing articles demonstrating the system for various sources; presentations via the web and at major PHP conferences.
- Work with major PHP app devs and framework devs to integrate the system -- or encourage the development of similar approaches -- within their projects.