Reputation: 1535
Haskell: Is it possible to inject Show and Read?
I read this mail *safe* coerce:four methods compared, in which methods of type conversions are discussed.
In the first approach, String is used as the universal representation and every type which wants to convert to/from other types simply makes itself instances of typeclasses Show and Read.
However, would this raise a security issue? Is there a way for the input to hijack the process, in a way similar to SQL injection?
Upvotes: 1
Views: 157
Answers (2)
Reputation: 21286
On top of my head, when it's unsafe, it's in an obvious way. So basically: don't trust with read any input you get from anyone. It's meant for deserialization, so when you do deserialize, make a function to check the sanity of the data you receive.
Otherwise a user could easily change the input (show yields very simple text), and bypass smart constructors. Another way to deal with this is create custom, safer, instances. E.g. a lot of containers serialize to something like: fromList [1,2,3] instead of showing the underlying structure. Can't have too many problems with that.
Here's a GHCi session for a datatype that is a list with an Int for it's size:
data LList a = LList [a] Int deriving (Eq, Ord, Show, Read)
let mkLList xs = LList xs (length xs)
-- Module would only expose (LList, mkLList)
read "LList [6,4,2] 6548" :: LList Int
> LList [6,4,2] 6548
Now we have a LList with the length of 6548 elements... but we only have 3.
Upvotes: 1
Reputation: 101969
Assuming that the attacker can only provide the textual representation for those values and that for SQL injection you mean executing arbitrary code as a result of parsing the input: no.
Assuming you have control over instances of Show and Read and you are careful to keep your code pure, it doesn't matter what input is provided by the attacker, your code is pure and doesn't have side-effects, hence something like "SQL injection" is not possible.
Obviously the attacker could provide an input that requires a lot of time/resources to parse but this is a DoS attack, which is different from an SQL injection-like attack.
Upvotes: 3
Related Questions
- How to implement and instance of Show manually?
- How to apply show to any type in haskell?
- Writing a Show instance for (->)
- Writing an implementation of Show
- Haskell show data
- Extending `read`-like behavior
- Using show on a custom type
- Dealing with `show` in Haskell
- Explain how Read/Show works?
- Implementing the Show class