It's official: PEP 675 has been accepted! Once you've got Python 3.11 and a type checker that supports it (Pyre already does 🙂), try using LiteralString to make your Python code safer by preventing SQLi and all other kinds of injection attacks:.

My team is hiring for a unique role, taking the static analysis tools we've developed for security use cases and applying them to solve some of our most pressing privacy needs:.DMs are open if you want to learn more!.

Recording of my #Enigma2022 talk is now live:

If you're curious about how it works, my co author and I will be presenting about LiteralString (and other uses of typing for security) at this year's PyCon:.

Late to the game on this one but I really loved Ryan Pickren's latest writeup on UXSS on Safari. I think he undersells the work involved to get there, but does an excellent job highlighting how far you can get by looking at old protocols, file types, etc:

This functionality is already supported in Pyre if you want to try it:. Feedback on the PEP would be greatly appreciated!.

But queries safely built from only string literals will be allowed:. user_id: str.query = f"SELECT * FROM data WHERE user_id = ?".if limit:. query += " LIMIT 1".conn.execute(query, user_id) # Type Error!.

Imagine updating a SQL API to accept Literal[str]:.def execute(self, sql: Literal[str]). Queries like this will now be rejected by your type checker:.user_id: str.query = f"SELECT * FROM data WHERE user_id = {user_id}".conn.execute(query) # Type Error!.

The idea is that Literal[str]'s represent strings built from only string literals (ie. "foo"). This lets you dynamically build SQL (and other) commands as developers love to do, while at the same time ensuring those dynamically built commands do not contain user controlled data.

We have a draft PEP up for adding a new Literal[str] type to #Python3:.When used correctly, this type can prevent all kinds of injection vulnerabilities. We've been experimenting with this at Meta for a while, and are excited to share with the world.

I'll be presenting "Teaching an old dog new tricks: Reusing security tools in novel domains" at #Enigma2022 in Santa Clara, February 1–3, 2022. It provides case studies of how security tools like Pysa have been used in non-security applications at Facebook

RT @OrenHafif: We are looking for an experienced application security engineer to help build a world where everyone, everywhere has secure….

Our #PyCon 2021 talk "Unexpected Execution: Wild Ways Code Execution can Occur in Python" is now on YouTube:.I guarantee there will be at least one RCE vector in there that you weren't aware of. It also comes with demos:.

RT @NAKsecurity: The second round of our RFP is now published, with proposals being accepted until July 14! . "Towards Trustworthy Products….

To go with the #PyConUS2021 talk, we've also got a demo repo with examples of functions that enable code execution in python: There's a UI to test exploits against and a machine-readable dump of sinks to feed to your static analyzers (including Pysa 😀 ).

RT @fbOpenSource: 🤔 Explain Like I’m 5 🤔. In just over a minute, Jessica (@hey_its_jlin) gives an overview of #Pysa, an #OpenSource Python….

For those attending @pycon (it's too late to sign up!), check out the out the talk @the_st0rm and I are giving on the myriad of APIs that can enable remote code execution in Python: These examples were originally compiled as a part of our work on Pysa.

RT @libber: A decade of facebook bug bounty. 130,000 reports, 6,900 valid, 11.7million paid out. An incredible t….

Found this fun tidbit when looking into Python's standard library. What do you think happens when you run it? Hint: it's exactly what you think shouldn't happen. from typing import get_type_hints. class C:. member: "print('test')" = None. get_type_hints(C).

RT @libber: Sometimes we find bugs in code that isn't ours, now (following the p0 playbook) we have a pathway to disclose them https://t.co….