Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"
 
PerlMonks  

Safe wrapper for user regex?

by gra_kev (Initiate)
on Mar 26, 2013 at 15:26 UTC ( [id://1025543]=perlquestion: print w/replies, xml ) Need Help??

gra_kev has asked for the wisdom of the Perl Monks concerning the following question:

I need to be able to solicit a regex from an untrusted user to match against a set of values. Conveniently ignoring the DoS vector, I do want to avoid the obvious bits such as code execution or leaking internal data via variable interpolation.

use Safe;
#my $stranger_danger = '(?{ system("touch /tmp/foobar") })';
my $stranger_danger = '\d';
my @vals = ( 'a', 'b', 'c', '1', '2' );
my $test_env = new Safe;
$test_env->permit( 'regcomp' );
my $tester = $test_env->wrap_code_ref( sub {
    $_ =~ qr/$stranger_danger/
} );

print "Safely matched ", join( ', ', grep { $tester->( $_ ) } @vals ),
+ "\n";

[download]

This appears to do what I want (e.g. '(?{ system("touch /tmp/foobar") })' is rejected by Safe), but is there anything else to consider? Is there a better way to go about this?

Replies are listed 'Best First'.
Re: Safe wrapper for user regex?
by ww (Archbishop) on Mar 26, 2013 at 16:08 UTC
    Are you unconcerned with the likes of rm -rf.... and dozens of other system and/or utility commands? I need a clearer sesnse of your goal.

    If you didn't program your executable by toggling in binary, it wasn't really programming!

[reply]
[d/l]

      Are you unconcerned with the likes of rm -rf....

      That is kind of what Safe prevents

[reply]
        True. My oversight... so ++ for taking the time to point that out. Thank you. However, my entire answer sort of failed to even hint at what should, perhaps, have been my point, which is (no frills): "It's often better to think about what to allow, and permit only that set, rather than trying to tin-over all the rat holes."

        If you didn't program your executable by toggling in binary, it wasn't really programming!

[reply]
Re: Safe wrapper for user regex?
by Anonymous Monk on Mar 26, 2013 at 15:29 UTC
    Dictionary of regular expressions? XPATH?
[reply]
Re: Safe wrapper for user regex?
by sundialsvc4 (Abbot) on Mar 27, 2013 at 15:13 UTC

    Obviously the safest thing would be not to allow it.   Are there notable CPAN packages which contain regexes and the like to validate and defang regular-expression syntax?   Surely there must be ...

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://1025543]
Approved by ChuckularOne
Front-paged by marto
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others studying the Monastery: (6)
As of 2024-04-24 12:34 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found