Haskell Secure Coding

calendarDec 12, 2024 Β· 2 min read Β· codereview-knowhow haskell security  Β·
Share on: linkedincopy

Secure coding practices for Haskell applications.

SQL Injection Prevention

 1-- ❌ Vulnerable
 2import Database.PostgreSQL.Simple
 3getUserBad :: Connection -> String -> IO [User]
 4getUserBad conn username = 
 5    query_ conn $ fromString $ "SELECT * FROM users WHERE username = '" ++ username ++ "'"
 6
 7-- βœ… Secure: Parameterized queries
 8getUserGood :: Connection -> String -> IO [User]
 9getUserGood conn username = 
10    query conn "SELECT * FROM users WHERE username = ?" (Only username)

Command Injection Prevention

 1-- ❌ Vulnerable
 2import System.Process
 3runCommandBad :: String -> IO String
 4runCommandBad filename = 
 5    readProcess "sh" ["-c", "cat " ++ filename] ""
 6
 7-- βœ… Secure
 8import System.Process
 9import Data.Char (isAlphaNum)
10runCommandGood :: String -> IO (Either String String)
11runCommandGood filename 
12    | all (\c -> isAlphaNum c || c `elem` "._-") filename = 
13        Right <$> readProcess "cat" [filename] ""
14    | otherwise = return $ Left "Invalid filename"

XSS Prevention

 1-- ❌ Vulnerable
 2import Text.Blaze.Html5 as H
 3displayMessage :: String -> Html
 4displayMessage msg = H.div $ toHtml msg
 5
 6-- βœ… Secure: Text.Blaze escapes by default
 7import Text.Blaze.Html5 as H
 8import qualified Data.Text as T
 9displayMessage :: T.Text -> Html
10displayMessage msg = H.div $ toHtml msg
11
12-- For raw HTML (use carefully)
13displayTrustedHtml :: T.Text -> Html
14displayTrustedHtml = preEscapedToHtml

Secure Random Generation

 1-- ❌ Insecure
 2import System.Random
 3generateToken :: IO Int
 4generateToken = randomRIO (0, maxBound)
 5
 6-- βœ… Secure
 7import Crypto.Random
 8import qualified Data.ByteString as BS
 9
10generateToken :: IO BS.ByteString
11generateToken = getRandomBytes 32

Timing Attack Prevention

 1-- ❌ Vulnerable to timing attacks
 2comparePasswords :: String -> String -> Bool
 3comparePasswords = (==)
 4
 5-- βœ… Secure: Constant-time comparison
 6import Data.ByteString (ByteString)
 7import qualified Data.ByteString as BS
 8import Crypto.MAC.HMAC
 9
10constantTimeCompare :: ByteString -> ByteString -> Bool
11constantTimeCompare a b = 
12    BS.length a == BS.length b && 
13    BS.foldl' (\acc (x, y) -> acc && x == y) True (BS.zip a b)

Related Snippets

  • C/C++ Code Smells
    Common code smells in C/C++ and how to fix them. Memory Leaks 1// ❌ Bad 2void …
  • C/C++ Secure Coding
    Secure coding practices for C/C++ applications. Buffer Overflow Prevention 1// ❌ …
  • C/C++ Vulnerability Checks
    Tools for checking vulnerabilities in C/C++ code. Valgrind 1# Install 2sudo apt …
  • Common Antipatterns
    Common software antipatterns to avoid across all languages and architectures. …
  • Common Code Smells
    Common code smells to watch for during code reviews with examples and fixes. …
  • Developer Pre-Submission Checklist
    Comprehensive checklist for developers before submitting a pull request. Code …
  • Go Code Smells
    Common code smells in Go and how to fix them. Ignoring Errors 1// ❌ Bad 2result, …
  • Go Secure Coding
    Secure coding practices for Go applications. SQL Injection Prevention 1// ❌ …
  • Go Vulnerability Checks
    Tools for checking vulnerabilities in Go code. Govulncheck 1# Install 2go …
  • Haskell Code Smells
    Common code smells in Haskell and how to fix them. Partial Functions 1-- ❌ Bad: …
  • Haskell Vulnerability Checks
    Tools for checking vulnerabilities in Haskell code. Cabal Outdated 1# Check …
  • Python Code Smells
    Common code smells in Python and how to fix them. Mutable Default Arguments 1# ❌ …
  • Python Secure Coding
    Secure coding practices for Python applications. SQL Injection Prevention 1# ❌ …
  • Python Vulnerability Checks
    Tools for checking vulnerabilities in Python code. Safety - Dependency Scanner …
  • Reviewer Checklist
    Comprehensive checklist for code reviewers to ensure thorough and constructive …
  • Rust Code Smells
    Common code smells in Rust and how to fix them. Unwrap/Expect Abuse 1// ❌ Bad …
  • Rust Secure Coding
    Secure coding practices for Rust applications. SQL Injection Prevention 1// ❌ …
  • Rust Vulnerability Checks
    Tools for checking vulnerabilities in Rust code. Cargo Audit 1# Install 2cargo …
  • TypeScript Code Smells
    Common code smells in TypeScript and how to fix them. Using any 1// ❌ Bad …
  • TypeScript Secure Coding
    Secure coding practices for TypeScript applications. XSS Prevention 1// ❌ …
  • TypeScript Vulnerability Checks
    Tools for checking vulnerabilities in TypeScript/JavaScript code. npm audit 1# …