I need to be able to solicit a regex from an untrusted user to match against a set of values. Conveniently ignoring the DoS vector, I do want to avoid the obvious bits such as code execution or leaking internal data via variable interpolation.
use Safe;
#my $stranger_danger = '(?{ system("touch /tmp/foobar") })';
my $stranger_danger = '\d';
my @vals = ( 'a', 'b', 'c', '1', '2' );
my $test_env = new Safe;
$test_env->permit( 'regcomp' );
my $tester = $test_env->wrap_code_ref( sub {
$_ =~ qr/$stranger_danger/
} );
print "Safely matched ", join( ', ', grep { $tester->( $_ ) } @vals ),
+ "\n";
This appears to do what I want (e.g. '(?{ system("touch /tmp/foobar") })' is rejected by Safe), but is there anything else to consider? Is there a better way to go about this?