Ex. 52 security issue

chrishadfield · October 1, 2021, 9:38am

in exercise 52 i’m trying to figure this out, still feel like a lot of this is going straight over my head sometimes

def load_room(name):
    """
    There is a potential security problem here.
    Who gets to set name? Can that expose a variable?
    """
    return globals().get(name)

def name_room(room):
    """
    Same possible security problem.  Can you trust room?
    What's a better solution than this globals lookup?
    """
    for key, value in globals().items():
        if value == room:
            return key

globals was something i hadn’t seen before, if i print globals i can see every global variable in a dictionary format including functions.

first question

would loading the rooms in their own dictionary fix the security issue, by making the only variables accessible, the rooms you have created?

dict = {'a': Room('room 1', 'disc 1'),
'b': Room('room 2', 'disc 2')}

def load_room(name):
    """
    There is a potential security problem here.
    Who gets to set name? Can that expose a variable?
    """
    return dict.get(name)

def name_room(room):
    for key, value in dict.items():
        if value == room:
            return key

second question

I’m really not putting this together how could i do something with those exposed variables?

so the first function returns the module associated with the key(name), in the context of the game, you would then use that module to get the data to display in your site/engine. wouldn’t this automatically throw an error as that data wouldn’t be available?

zedshaw · October 1, 2021, 1:14pm

Yes you could just put the rooms inside a variable, just don’t call it dict. Try:

ROOMS = {}

Next, the name of the room comes from the user right? And globals() exposes every variable in your program. That means someone might be able to pass the name of something and get its value back. Imagine if you have a list of all the users or session keys. It’s probably not going to happen in this small code, but if you had that in a big application there’s probably a clever way to get your program to dump data you didn’t intend.

chrishadfield · October 2, 2021, 12:19am

so dict() is a function and calling a variable that would then cause issues later, i’m guessing.

label it as a constant variable, makes sense we don’t want to change it.

so similar to the idea of sql injection if the right data is in that globals dictionary, probably more can be done with the right knowledge.

seams like security testing is just a whole other rabbit hole that needs to be explored thoroughly.

so i’m almost at the end of the first book and defiantly only have a very basic understanding, what would be your advice on what’s important to remember? it seams like from here there is just an ocean of information to get through.

zedshaw · October 2, 2021, 1:23pm

Well it’s not dict() it’s globals() that exposes everything. Try it out:

DATABASE_PASSWORD="supersecret"

Toss that in a file, then write a purposefully bad handler that prints out the globals() results. You should see the super secret password then.

gpkesley · October 4, 2021, 5:16pm

Are you moving onto Learn More Python The Hard Way? It’s a different challenge.

chrishadfield · October 9, 2021, 8:51am

yeah, after i finish this book and create the web server for the study drills ill be moving on to more python.