0

I'm passing a string from Java to Python over a middleware and I'm evaluating the string to execute the method in python.

Let's say I send the below string from JAVA

'test_method("Value1", "Value2", **{"k1:":"v1", "k2":"v2"}'

This will be evaluated in python and the test_method with the arguments are called. This works fine until there is a single or a double qoute in any of the values. If v1 or v2, for example, has a single or a double quote, I get a syntax error during evaluation in python

I handle this by escaping all the characters while send from python.

I'm not sure if any SQL injection analogue can be present here. Can someone tell if it is safe to escape the quotes and backslashes ? If not, what is the recommended way of doing it.

Vinodini Natrajan
  • 125
  • 11
  • See answers from https://stackoverflow.com/questions/6431933/how-to-format-strings-in-java – y_ug Mar 04 '20 at 16:25

1 Answers1

1

You have a Python server and a Java client. The question is: does the server trust the client? The risk is a "code injection" (see the OWASP page for useful information).

Escaping quotes and backslahes on the client (Java) side won't have any effect on security, it will just prevent the server from failing to eval the function when the arguments contain quotes...

If you control the Java client (you are the one wo writes the string to be eval'd), you can feel safe, but there are some issues:

  • Can some other client represent itself as the Java client and fool the server? If yes, you have to ensure that the access to the server is controller (the client has to be authorized).
  • Even if the client authorization is checked, this client may be controlled by an attacker. Whether you have a Zero trust or a (Defense in depth)[https://en.wikipedia.org/wiki/Defense_in_depth_(computing)] security model, the server should not trust the data received from the client.

That said, you have two main options, both on the server side:

  • Accept any input, and try to sanitize what you receive (check that quotes are balanced, that you have no delete_all_files command, etc.). In this case, the Java client should escape the quotes, backslashes, ... This is very risky, because the imagination of the attackers (and the regular users) is limitless and you might receive a command string that will crash your server.
  • Define a protocol between the client and the server, for instance: the client sends a json string containing the function name and the parameters, the server checks if this is allowed and execute it. This is far better, because the server can easily control if the function and the arguments are valid. (You can create your own binary protocol if you want, but Json or XML are good choices.) With a such a protocol, you can avoid using eval/exec on server side.

To summarize, I recommend that you:

  1. if you can: use Json strings to pass the commands from the client to the server, and to return results from the server to the client .
  2. in all cases: control that the client is authorized to execute the command.
jferard
  • 7,835
  • 2
  • 22
  • 35