Meaning what you say

(Before you read this, “Effective partnerships” provides context)

Node.js works by sending messages. For example:

* HTTP messages
* Shell callouts via child_process
* Database queries
* IPC

We can’t be faithful stewards of our users’ interests unless the code that constructs these messages preserves our intent even when parts are controlled by attackers.

In “If we knew what bad looked like …” I talked about splitting the problem of knowing that you’re doing what you ought in two:

1. marking as trusted things that are safely constructed where you have the context to make such a determination, and
2. checking trustedness before doing things you can’t undo.

In “Fast moving teams don’t …” I talked about guiding developers away from
error-prone APIs. Here I’d like to tie that together.

We’ve been using techniques like these in Google for years, and it turns out that the vast majority of trusted values are created by a few pieces of critical framework code. I’ve tried to address some that are of particular interest to
many Node.js apps.

• The Attach Review Testbed uses code like sh`mv -n — ${ tempPath } ${ imagePath }` to invoke sh-template-tag which understands the structure of Bash and safely constructs, in a few lines, a shell string that does a lot of work.
  Previously discussed sensitive module hooks guide developers away from child_process to a safe wrapper that checks that the shell string is marked safe.
• It also uses code like safesql.pg`SELECT rightaid AS friend FROM Friendships WHERE leftaid=${ aid }` which understands the Postgres SQL grammar at a deep level.
• Finally, to make sure that it doesn’t ship untrustworthy HTML to the client,
  it uses a safe template language that understands how HTML embeds other languages like URLs, JS, and CSS.

Tools that are aware of the languages of the messages they construct can safely compose messages. When values can be marked safe in context, these tools avoid over-escaping by recognizing properly marked values.

This means that the output of a safe HTML sanitizer can feed into a safe HTML template language unhindered.

Technical measures that guide developers towards safe tools allow fairly small
investments in tool engineering to pay huge dividends.