Score:0

Running user input that's formatted in a string

pl flag

I'm aware that it's strongly advised to never execute user input as code, but I'm curious if my particular situation can be vulnerable to code injection:

  1. The user provides text input in a front-end web form
  2. A python script on the back-end takes user text input and uses it to create variable names for an R script (the variable names are stripped of any characters that violate R syntax for variable names)
  3. We execute the R script, and return the results to the front-end page so the user can see the output

Is there any possible way we could be vulnerable to code injection?

note: We use python's format syntax to insert user variables; for example:

'{varname} = dataframe${varname}'.format({'varname': stripped_user_provided_variable_name})
Score:1
ru flag

Is there any possible way we could be vulnerable to code injection?

Absolutely. The general rule is that you must escape/filter all user-supplied input before you can use it anywhere in your application for anything else than a simple text string.

Escape/filter means that you need to remove each and every characters that is not required for the user function. Don't just filter what you think may be dangerous. If you expect a variable name, just accepting [a-zA-Z0-9] may be a good ides. Make sure you document the limitations in the manual/help.

Also make sure that you filter on the server side. Filtering on the client side only (web form, Javascript code, ...) isn't reliable as circumventing the client-side code and crafting custom POST actions is trivial.

If the user manages to craft an input that terminates the current statement (semicolon, \r\n, ... - dunno about R) and has the rest of their input interpreted as another statement then they've won.

Matt avatar
pl flag
this is really helpful! I didn't consider that users could create a custom POST
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.