Taint checking in Clojure[Script]?

I just learned about Taint checking: Taint checking - Wikipedia

And I find it pretty neat, seems like a nice way to test for some security vulnerabilities.

Is there anything like it for Clojure[Script] that someone knowns about?

In Haskell, this is one of the canonical example cases of using the type system to your advantage… I’m not sure what would be a good way of enforcing this in Clojure, probably meta-data, and diligent tracking thereof?

It seems Taint Checking was pioneered by Perl, and that Ruby has it as well, so it seems like doing it for a dynamically typed language is doable.

1 Like

Not an answer, but Perl appears to track taint as a bit on every scalar. Clojure uses Java scalars and Strings, which do not do that. You could do Perl-style taint tracking in the JVM, with custom “scalars” that are really JVM objects, but the technique would not play well with interop.

By the way: consider Perl’s definition of the problem: “You may not use data derived from outside your program to affect something else outside your program–at least, not by accident” (perlsec - Perl security - Perldoc Browser). Is runtime taint checking even the best, most interesting solution to that problem?

Hum, it looks like SonarQube does some form of static taint analysis for Java, and I can’t find out for sure, but it seems like it analyzes compiled .class bytecode.

If that’s true, it might work with Clojure. Anyone tried SonarQube with Clojure before?

The Checker framework in Java land is how I’ve tackled things in that space before. It leverages annotations to layer on additional type systems for static rule enforcement at compile time, such as tainted data of various flavors, null safety, etc.

In a dynamic context like Clojure, the simplest path (though not likely the most performant) seems to be to leverage metadata and guard checking to propagate the meta-type information you’re interested in.

Finally, since taint analysis is a kind of data flow analysis, I expect techniques in the type inference and general data flow space would be applicable as well. Many of those, however, tend to apply at compile time in more statically typed languages so you’d need to translate those to the dynamic space.