Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Ideas Wanted for Perl::Critic Security Policies

by jthalhammer (Friar)
on Jun 30, 2006 at 18:35 UTC ( #558646=perlmeditation: print w/ replies, xml ) Need Help??

I've been thinking about creating some security-related policies for Perl::Critic. But other than taint checking, I'm not really familiar with Perl's security holes and features. What are some "best practices" for ensuring that Perl programs are safe from hackers?

-Jeff

Comment on Ideas Wanted for Perl::Critic Security Policies
Re: Ideas Wanted for Perl::Critic Security Policies
by radiantmatrix (Parson) on Jun 30, 2006 at 19:03 UTC

    Using the 3-parameter form of open would be a good practice to check for. It would be good to warn about system or exec calls that pass arguments inside the first parameter (i.e. system("$command $arg1 $arg2") instead of system($command, $arg1, $arg2)).

    If practical, warning about DBI statements that use inline variables where prototypes are better (i.e. $dbh->prepare("update table set my_val = $somevalue") instead of $dbh->prepare("update table set my_val = ?")). I'm guessing that would be a challenge, but it sure would be nifty.

    Yes, proper untainting would probably solve these issues, but I've seen too many coders untaint such things extremely poorly.

    <radiant.matrix>
    A collection of thoughts and links from the minds of geeks
    The Code that can be seen is not the true Code
    I haven't found a problem yet that can't be solved by a well-placed trebuchet
      Using the 3-parameter form of open would be a good practice to check for.
      There's a InputOutput::ProhibitTwoArgOpen in the Perl::Critic distro already..

      The DBI one would be a 'challenge' :) .. not sure how it'd be possible to distinguish between $dbh->prepare("update table set my_val = $somevalue") (NOT OK) and $dbh->prepare("update $TABLENAME set my_val = ?") (OK) without actually parsing the sql .. plus there's the circumvention of $sql = "update table set my_val = $somevalue"; $sth=$dbh->prepare($sql); as well (or can you back-trace that w/PPI?)..

      I took a crack at the system/exec one (see RFC: Perl-Critic policy: ProhibitInlineSystemArgs), though i think there's problems catching all of those, too.. e.g. system( join(" ", $cmd, @args) )
Re: Ideas Wanted for Perl::Critic Security Policies
by eyepopslikeamosquito (Canon) on Jun 30, 2006 at 21:28 UTC
Re: Ideas Wanted for Perl::Critic Security Policies
by Joost (Canon) on Jun 30, 2006 at 23:37 UTC
Re: Ideas Wanted for Perl::Critic Security Policies
by petdance (Parson) on Jul 03, 2006 at 06:45 UTC
    Taint mode, baby.

    xoxo,
    Andy

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlmeditation [id://558646]
Approved by Hue-Bond
Front-paged by gmax
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others imbibing at the Monastery: (5)
As of 2014-12-21 02:42 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (101 votes), past polls