Are You Checking Types?

Static type checking with mypy

solution Are You Checking Types?
default

Oswaldo Parada

The dominoes game is simple, there are 28 tiles (standard version), each one with a unique combination of two numbers of pips between 0 and 6. The game’s objective is to be the first player to place all the own tiles on the table. For this, each player takes turns to place a tile adjacent to those already on the table as long as the number of pips matches. Most people believe that dominoes is more a game of luck than anything else. In fact, it’s a game of strategy. A good player checks the tiles on the table, counting how many pieces of a certain number of pips are already placed and which ones the opponents have. By knowing this, they can choose the best tile to place and force the opponents to play in a certain way. So, if you always bite the dust in the dominoes, maybe it’s because you’re not checking enough.

Ludopathy

We can relate the coding in Python with a game of dominoes. The script is the tiles on the table, so the players are the developers. The tiles would be small pieces of code. Again, developers take turns to place tiles. However, the goal now is that all players win! So, they can put in a single script all the code tiles they have. The final result would be a perfectly coupled script specially assembled to do a certain task. But if everyone can win, then everyone can lose. And if your developers' team is already used to constantly losing games, then, just like in dominoes, you’re not checking enough!

Family playing dominoes

Figure 1. Dominoes can be compared with the development activity.

Bankruptcy

There are many reasons why you can lose in the coding-in-Python game, but not checking well is one of the most common. Specifically, I’m talking about checking the type of variables or data structures in your code.

For example:

Add integers method in Python.

def add_integers(a, b):
  return a + b

add_integers(2, 3) # 5

At first sight, the function seems fine. It works as expected, but it has a huge problem. In the following example, we’ll use the same \add_integers\ method, but we’ll make a change.

Adding strings.

add_integers('2', '3')  #  '23'

The code still works as it should be, but it’s not the result we expected; we managed to "cheat" the function to add strings instead of integers.

I know this doesn’t say much, but I’ll show you the destructive potential of this feature with another example using the same add_integers function:

A more complex application with no variable typing.

def taxes_calculation(apple_price, taxes_rate):
  return apple_price * taxes_rate

def apples_sale(n_apples, apple_price):
  initial_price = n_apples * apple_price
  taxes = taxes_calculation(initial_price, 0.16)
  result = add_integers(initial_price, taxes)
  return result

apples_sale(3, 20) # 69.6

# Nothing bad until here, but what if we…

apples_sale('3','20') # TypeError: can't multiply
sequence by non-int of type 'str'

Now you can cry. Your apple sales business went bankrupt by simply changing the type of input variables.

Oh, the irony!

Dear reader, if you’re a pythonista who doesn’t allow yourself to be surprised so easily, you may be saying: "Wait, what? Python is a program with dynamic typing; that’s its point, I don’t have to define the type of variables because the interpreter can understand what the type is." Yes, that’s true, but the interpreter is not guilty of having an entanglement of thousands of methods that depend on each other. The interpreter is not guilty that any method can modify the state, including the variable type.

Get started with Fluid Attacks' Secure Code Review solution right now

I’ll give you the solution now: Go functional and set the type of your variables! If you want to know how to do that, keep reading.

Canard à l’orange

Many scholars call the typing in Python "duck typing." The name comes from this premise: "If it goes like a duck and it quacks like a duck, then it must be a duck." In this way, we understood that Python knows what the type is by analyzing the behavior and attributes of a variable. Honestly, in Fluid Attacks, we prefer the Canard à l’orange ("duck with orange" in French) instead of living with it in our code.

How to pluck a duck?

We already know why we shouldn’t let the interpreter choose what type of variable we’re working with. It may sound a little laborious to have to type each variable, but this task is easy in Python 3:

Add integers method with typed variables.

def add_integers (a: int , b: int) -> int:
   return a +  b

add_integers(2 , 3) # 5

Let’s see if this solves the problem:

The cruel reality.

add_integers('2', '3') # '23'

I lied to you again. Typing variables in Python doesn’t do anything to how the code is executed. Python is like a child who believes everything you tell him; no matter if you set the type or not, it’ll continue to obey.

Mypy to the rescue

Setting variable types is useful when we use a tool that has become popular among the pythonistas: mypy. Mypy is a static type checker. It uses the type hints defined in the code to validate that these hints are met in the parts of the code where the variables are used. This tool runs separately from the execution of the code.

You can use the following command to install mypy in Python 3:

Mypy installation.

python3 -m pip install mypy

Now, we just have to make sure that the code we want to check is saved in a script and then run the following command:

Command to use mypy.

python3 -m mypy name_of_my_file.py

Let’s go back to the example of <<\adding-integers\>> and save it in a script called add_integer_method.py. Now we use mypy:

Using mypy in a known script.

python3 -m mypy  add_integer_method.py
#... No output

If there’s no output when running the command, the code is correct and can be executed. Now we add the <<\adding-strings, adding strings example\>> to the file and run mypy again:

Warnings.

$ python3 -m mypy  add_integer_method.py

# add_integer_method.py:4: error: Argument 1 to "add_integers"
has incompatible type "str"; expected "int"
# add_integer_method.py:4: error: Argument 2 to "add_integers"
has incompatible type "str"; expected "int"

Eureka! Mypy was able to discover that we set a string into a method that was defined with integer type inputs. Here we use a very small and maybe obvious example, but imagine applications of thousands of code lines. Now, with a single command, we can check the variable types.

Conclusions

We demonstrated the importance of setting the variables' types that we’ll use and showed how fatal it’s to not check them. Mypy is a useful tool in any development activity, but it’s especially powerful in projects where more than one developer contributes. With mypy, we can debug easier or ensure that code with the wrong types is not deployed to production. Of course, Mypy is not a straitjacket; this library doesn’t impose anything on us; we decide to ignore or solve the warnings it shows us. Finally, we make the recommendation to implement functional code in your programs; this will make your code more durable, cleaner and easier to debug. This programming paradigm takes on more versatility when merged with tools like mypy, which turns very tedious processes into a matter of seconds. If you still don’t know much about functional programming in general or functional programming in Python, we invite you to read the posts "Why We Go Functional?" and "Road to Functional Python". You already have the knowledge, so will you check types?

Share

Tags:

Subscribe to our blog

Sign up for Fluid Attacks’ weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by Tamas Kolossa on Unsplash

Secure Your Web Apps And Websites

Vulnerability scanning and pentesting for a safer web

Photo by sebastiaan stam on Unsplash

UXSS to Account Takeover in Rushbet

Injecting JS into one site is harmful, into all, lethal

Photo by Dmitry Ratushny on Unsplash

BAS vs. Pentesting vs. Red Teaming

Differences between these security testing approaches

Photo by Kostiantyn Li on Unsplash

Our CASA-Approved Static Scanning

Our CLI is an approved AST tool to secure cloud apps

Photo by Ralston Smith on Unsplash

Secure Coding in Five Steps?

A simple approach to try out in cybersecurity training

Photo by Dima Pechurin on Unsplash

Code Quality Must Include Security

Open the door to security as a quality requirement

Photo by Museums Victoria on Unsplash

Indispensable Manual Code Review

Use of automated tools only? Don't stick to your guns!

Photo by Nahel Abdul Hadi on Unsplash

Account Takeover in KAYAK

So it's the app itself that delivers the cookie to me?

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial

SERVICE

Continuous Hacking

SOLUTIONS

Application security

Compliance

Systems

PLATFORM

Platform overview

SCANNING AND ANALYSIS PRODUCTS

SAST

DAST

MAST

SCA

Attack Resistance Management (ARM)

PTaaS

RE

RESOURCES

Blog

Clients

Downloadables

Documentation

COMPANY

About us

Certifications

Partners

Careers

Contact us

Plans

Advisories

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.

Service status

Terms of use

Privacy policy

Cookie policy