FAQ
I'm interested in the API and implementation of the "safe-by-default"
package that was written for Spanner, mentioned at the 16 minute mark
of https://www.usenix.org/conference/usenixsecurity15/symposium-program/presentation/kern
.

Is the Go version just a static checker or similar addition to go vet? If
so, could it be extracted for use with database/sql ?

Damian

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Search Discussions

  • Matt Silverlock at Nov 27, 2015 at 1:55 am
    Seems similar to https://github.com/stripe/safesql


    On Friday, November 27, 2015 at 5:12:30 AM UTC+8, Damian Gryski wrote:

    I'm interested in the API and implementation of the "safe-by-default"
    package that was written for Spanner, mentioned at the 16 minute mark of
    https://www.usenix.org/conference/usenixsecurity15/symposium-program/presentation/kern
    .

    Is the Go version just a static checker or similar addition to go vet? If
    so, could it be extracted for use with database/sql ?

    Damian
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Damian Gryski at Dec 9, 2015 at 10:02 am
    Really? *Nobody* from Google wants to comment on this? :(
    On Thursday, November 26, 2015 at 10:12:30 PM UTC+1, Damian Gryski wrote:

    I'm interested in the API and implementation of the "safe-by-default"
    package that was written for Spanner, mentioned at the 16 minute mark of
    https://www.usenix.org/conference/usenixsecurity15/symposium-program/presentation/kern
    .

    Is the Go version just a static checker or similar addition to go vet? If
    so, could it be extracted for use with database/sql ?

    Damian
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Ian Lance Taylor at Dec 9, 2015 at 7:20 pm

    On Wed, Dec 9, 2015 at 2:02 AM, Damian Gryski wrote:
    Really? *Nobody* from Google wants to comment on this? :(
    I have not watched the video, and from your description I honestly
    have no idea what this refers to. Are you sure there is a Go version?
      Spanner is not written in Go.

    Ian
    On Thursday, November 26, 2015 at 10:12:30 PM UTC+1, Damian Gryski wrote:

    I'm interested in the API and implementation of the "safe-by-default"
    package that was written for Spanner, mentioned at the 16 minute mark of
    https://www.usenix.org/conference/usenixsecurity15/symposium-program/presentation/kern
    .

    Is the Go version just a static checker or similar addition to go vet? If
    so, could it be extracted for use with database/sql ?

    Damian
    --
    You received this message because you are subscribed to the Google Groups
    "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Damian Gryski at Dec 9, 2015 at 7:35 pm

    On Wednesday, December 9, 2015 at 8:20:23 PM UTC+1, Ian Lance Taylor wrote:
    On Wed, Dec 9, 2015 at 2:02 AM, Damian Gryski <dgr...@gmail.com
    <javascript:>> wrote:
    Really? *Nobody* from Google wants to comment on this? :(
    I have not watched the video, and from your description I honestly
    have no idea what this refers to. Are you sure there is a Go version?
    Spanner is not written in Go.

    The presentation is talking about careful API design to prevent security
    issues. For example, the way html/template actually parses the HTML,
    JavasScript, and CSS to know how to safely escape template variables in
    context to prevent XSS attacks.

    The first project Christopher Kern talks about is an SQL API that makes SQL
    injections very difficult: the requirement is that any query string must be
    constructed out of only compile-time constant strings with placeholders,
    and the query parameters are handled separately and so escaped
    appropriately. On page 12 of his slides (
    https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_kern.pdf
    ) and near the 16-minute mark of the presentation, he mentions having built
    a version of this SQL-injection-free API for the C++ and Java client
    libraries for F1, and for the C++, Java, and Go client libraries for
    Spanner.

    He says the Java version uses annotations and coupled with an static
    analyzer to enforce the "compile-time constant" requirement. I assume the
    C++ versions are similarly done with types and perhaps template magic. My
    question then was about how the Go version was implemented. Was it also a
    set of types and static analysis tools? Did this API make sense to be
    included in a future /x/database/ package? Was it a vet check or other
    static tool that could be easily extracted and applied to the existing
    database/sql query package?

    Hope this clarifies my question.

    Damian

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Ian Lance Taylor at Dec 9, 2015 at 8:36 pm

    On Wed, Dec 9, 2015 at 11:35 AM, Damian Gryski wrote:
    On Wednesday, December 9, 2015 at 8:20:23 PM UTC+1, Ian Lance Taylor wrote:
    On Wed, Dec 9, 2015 at 2:02 AM, Damian Gryski wrote:
    Really? *Nobody* from Google wants to comment on this? :(
    I have not watched the video, and from your description I honestly
    have no idea what this refers to. Are you sure there is a Go version?
    Spanner is not written in Go.


    The presentation is talking about careful API design to prevent security
    issues. For example, the way html/template actually parses the HTML,
    JavasScript, and CSS to know how to safely escape template variables in
    context to prevent XSS attacks.

    The first project Christopher Kern talks about is an SQL API that makes SQL
    injections very difficult: the requirement is that any query string must be
    constructed out of only compile-time constant strings with placeholders, and
    the query parameters are handled separately and so escaped appropriately.
    On page 12 of his slides (
    https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_kern.pdf
    ) and near the 16-minute mark of the presentation, he mentions having built
    a version of this SQL-injection-free API for the C++ and Java client
    libraries for F1, and for the C++, Java, and Go client libraries for
    Spanner.

    He says the Java version uses annotations and coupled with an static
    analyzer to enforce the "compile-time constant" requirement. I assume the
    C++ versions are similarly done with types and perhaps template magic. My
    question then was about how the Go version was implemented. Was it also a
    set of types and static analysis tools? Did this API make sense to be
    included in a future /x/database/ package? Was it a vet check or other
    static tool that could be easily extracted and applied to the existing
    database/sql query package?
    Thanks, that was enough for me to track it down. It looks pretty
    straightforward. The relevant functions take arguments of type
    stringConstant, an unexported type defined as `type stringConstant
    string`. That permits callers to pass any untyped string constant,
    but they can't pass any variable or function result because they won't
    have a value of the right type. The only way to get a value of the
    right type is to call functions in the package. Unfortunately, I
    don't think we can apply this technique to the database/sql package
    without breaking the Go 1 compatibility guarantee.

    Ian

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Caleb Spare at Dec 9, 2015 at 8:44 pm
    Oh, that's clever.

    I'd previously seen discussions about the danger that someone can
    unintentionally make a bad value of your unexported (string, int, etc)
    type by providing a constant value. This is the first time I've
    encountered the intentional use of that feature.

    On Wed, Dec 9, 2015 at 12:36 PM, Ian Lance Taylor wrote:
    On Wed, Dec 9, 2015 at 11:35 AM, Damian Gryski wrote:
    On Wednesday, December 9, 2015 at 8:20:23 PM UTC+1, Ian Lance Taylor wrote:
    On Wed, Dec 9, 2015 at 2:02 AM, Damian Gryski wrote:
    Really? *Nobody* from Google wants to comment on this? :(
    I have not watched the video, and from your description I honestly
    have no idea what this refers to. Are you sure there is a Go version?
    Spanner is not written in Go.


    The presentation is talking about careful API design to prevent security
    issues. For example, the way html/template actually parses the HTML,
    JavasScript, and CSS to know how to safely escape template variables in
    context to prevent XSS attacks.

    The first project Christopher Kern talks about is an SQL API that makes SQL
    injections very difficult: the requirement is that any query string must be
    constructed out of only compile-time constant strings with placeholders, and
    the query parameters are handled separately and so escaped appropriately.
    On page 12 of his slides (
    https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_kern.pdf
    ) and near the 16-minute mark of the presentation, he mentions having built
    a version of this SQL-injection-free API for the C++ and Java client
    libraries for F1, and for the C++, Java, and Go client libraries for
    Spanner.

    He says the Java version uses annotations and coupled with an static
    analyzer to enforce the "compile-time constant" requirement. I assume the
    C++ versions are similarly done with types and perhaps template magic. My
    question then was about how the Go version was implemented. Was it also a
    set of types and static analysis tools? Did this API make sense to be
    included in a future /x/database/ package? Was it a vet check or other
    static tool that could be easily extracted and applied to the existing
    database/sql query package?
    Thanks, that was enough for me to track it down. It looks pretty
    straightforward. The relevant functions take arguments of type
    stringConstant, an unexported type defined as `type stringConstant
    string`. That permits callers to pass any untyped string constant,
    but they can't pass any variable or function result because they won't
    have a value of the right type. The only way to get a value of the
    right type is to call functions in the package. Unfortunately, I
    don't think we can apply this technique to the database/sql package
    without breaking the Go 1 compatibility guarantee.

    Ian

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupgolang-nuts @
categoriesgo
postedNov 26, '15 at 9:12p
activeDec 9, '15 at 8:44p
posts7
users4
websitegolang.org

People

Translate

site design / logo © 2021 Grokbase