StringBorg

Introduction

StringBorg is a solution to injection attacks for arbitrary languages. StringBorg prevents injection attacks by embedding the syntax of guest languages (for example SQL, LDAP, Shell, XPath) in the host language (PHP, Java) and applying the proper escaping rules and positive checking automatically to all direct or indirect user input.

Documentation:

• Technical report: "Preventing Injection Attacks with Syntax Embeddings -- A Host and Guest Language Independent Approach" available from the website of our research group (pdf).
• Blog: http://mbravenboer.blogspot.com/search/label/stringborg

Supported languages

Currently, StringBorg supports PHP and Java as host languages.

Supported guest languages are:

• SQL-92
• LDAP search filters
• Shell
• XPath
• XML

If you have suggestions or requests for languages that we should support, then please let us know (contact one of the developers or join our mailing list).

Download

Stable Releases

Currently no stable releases are available.

Latest Developments

Distributions (tarball, rpm, srpm) of the head revision are created continuously. We advice to install StringBorg using Nix one-click install or RPM.

• http://buildfarm.st.ewi.tudelft.nl/releases/strategoxt/stringborg-unstable-latest/

The distributions contain the latest of the latest developments, but if you really want to, the latest sources can be checked out using:

  svn checkout https://svn.strategoxt.org/repos/StrategoXT/stringborg/trunk

Before you can configure the package as described above you have to run the ./bootstrap script.

Latest Samples

Samples for StringBorg are available in the standard distribution (subdirectory stringborg-samples), but also as a separate package to make the samples easier to use if you use a deployment system (RPM, Nix) for the installation of StringBorg. The latest tarball of the samples can be obtained from:

• http://buildfarm.st.ewi.tudelft.nl/releases/strategoxt/stringborg-samples-unstable-latest/

You need to install the samples: a plain ./configure will configure the package (all its dependencies should be detected automatically) and you can make the samples using make check. In the various subdirectories you can of course also run the individual targets to generate specific files. See Makefile.samples for information on the targets.

Installation

Install the package with the usual sequence of commands:

$ ./configure
$ make
$ make install

You might need to set your PKG_CONFIG_PATH if you did not install the dependencies in a standard location. Configure will tell you to do this if it cannot find aterm, sdf, strategoxt, java-front, or sql-front.

Dependencies

StringBorg depends on:

• ATerm library (aterm)
• Latest unstable SDF2 Bundle (sdf2-bundle)
• Latest unstable Stratego/XT (strategoxt)
• Latest unstable Java-front (java-front)
• Latest unstable SQL-front (sql-front)
• Latest unstable PHP-front (php-front)
• Java Development Kit providing java and javac.

Project Info

Issue Tracking

We use JIRA to keep track of issues. Please report any issues that you encounter!

• http://yellowgrass.org/BORG

Contact and Mailing List

Please send questions to the stratego@cs.uu.nl mailing list. Also, the StringBorg developers are usually available on IRC at irc.freenode.net/stratego. Feel free to drop by!

Source Repository

The sources of StringBorg are available from Subversion.

• https://svn.cs.uu.nl:12443/repos/StrategoXT/stringborg/trunk

Team

Contributors:

• Martin Bravenboer (lead developer)
• Eelco Dolstra
• Eelco Visser

Sponsors:

• Utrecht University, Department of Information and Computing Sciences
• Delft University of Technology, Software Engineering Research Group
• NWO Jacquard project TraCE

License

StringBorg is LGPL (GNU Lesser General Public License) software.

Related Software

• Java-front provides a syntax definition and pretty-printer for Java.
• SQL-front provides a syntax for definition for SQL.
• PHP-front provides a syntax for definition for PHP.
• www.metaborg.org gives an overview of MetaBorg related software and publications.