Security and robustness is a major concern to a lot of folks in ROS community. Keeping this in mind, I propose that sanitation and validation of inputs (and possibly outputs) be considered as a strong metric for calculating the quality of a package. Here are some of my thoughts:
In order to increase security and robustness, as a first step, we can start with checking inputs from
- Subscribers and service servers
- Command line
- Parameter server
Some kinds of data require sanitation because they are constrained however, those constraints aren’t explicit such as range (input to switch case, pixel values, euler angles), mathematical relationships (quaternions), internal structure (URL, compressed octree maps) among others.
Ensuring the constraints are met in the input is important because of the anyone-can-publish nature of topics and parameters. The lack of good command line argument parsing tools for C++ (an important language in the community) and the allure of using command line for passing arguments can result in an unstable configuration. As a result, some packages are only a key-stroke away from either crashing or worse propagating the error onwards to other packages.
As a community, we should create packages that can handle erroneous inputs gracefully by
- checking range of inputs either against constants (defined in the message)
- using robust libraries like OpenCV which guarantee trimming of input to within acceptable ranges
- using mathematical constraints, such as by normalizing quaternions on input
- range checking while creating data-structures from compressed messages
- using compatible libraries for dealing with URL (1 Each library has a different quirk in URL parsing)
I expect URL parsing to mostly be an issue in the near future with the increase in packages providing nodes to communicate over the internet [2]. However, others are a concern right now, especially during debugging. We can send erroneous input from command line tools which offer no validation (eg: default values for quaternion are [0, 0, 0, 0]).
The effect on performance, code complexity, development effort is expected to be minimum with an assured increase in overall robustness of the software stack. Moreover, a lot of packages already adhere to the best practices like this.
I’d like to confess in advance that I don’t know how to enforce or detect violations automatically, or even what all would constitute a violation of input validation since it might be a non-exhaustive list. Having said that, I’m eager to know your views on the topic and to answer, clarify and discuss.
Thanks
Kunal Tyagi
[2]: By then, hopefully, the issues are resolved in the upstream libraries