Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

Vulnerabilities when editing untrusted code... (Komodo)

by LanX (Canon)
on May 30, 2010 at 22:30 UTC ( #842303=perlmeditation: print w/ replies, xml ) Need Help??

I'm just having a look at the Komodo IDE 5.1 and am observing a nice bundle of diverse Emacs features (though perceptibly slower and limited by python implementation ...).

For instance there is a feature called flymake-mode in Emacs lingo, to automatically compile check the code currently editet and to flag errors "on the fly".

...BUT with the difference that this is enabled per default in Komodo (maybe you already wondered how Komodo achieves to underline problematic code lines in red)

Unfortunately this opens a new security issue, not only installing a Perl module can be dangerous, already just opening in some editors can be harmful.

Just putting a BEGIN { ...do something evil ...} hidden somewhere in investigated code will cause surprising effects for unwary Komodo users opening it...

Maybe someone feels motivated now to mail some files to colleagues using Active State editors?

Or do you know fellow programmers automatically opening perl code web links in their editor of choice? ;-)

Cheers Rolf

PS: I remember slightly that one of the first big hacking attacks was carried out in the 80s by abusing an emacs vulnerability ...

The only approach I can think of to solve this issue (beside deactivating the feature by default) is to automatically replace each BEGIN, CHECK and UNITCHECK block with something like  sub __BEGIN__ { ... } before running perl -c...

Comment on Vulnerabilities when editing untrusted code... (Komodo)
Select or Download Code
Re: Vulnerabilities when editing untrusted code...
by BrowserUk (Pope) on May 30, 2010 at 23:11 UTC

    Use a sensible editor, instead of an operating system, to view and edit your source files. :)

      I'm not using Komodo...

      Cheers Rolf

        Sorry. Beyond the name I've no knowledge of Komodo. I meant Emacs.

      Every perl editor which tries to check for compile time errors and warnings (Komodo, Padre, emacs with flyspell using perl -c, vi?) need to put use Safe upfront, and no Safe at the end of the BEGIN or the begin of INIT.

      This cannot be done within Perl generally as users need to execute BEGIN blocks, just not in editors.

      The only remaining problem with Safe is then XS code, which might get executed at compile-time and cannot be checked for harm.

        Every perl editor which tries to check for compile time errors and warnings...

        Which is one reason I don't use such editors. It's like sticking your finger in a power socket to check if it's live.


        Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
        "Science is about questioning the status quo. Questioning authority".
        In the absence of evidence, opinion is indistinguishable from prejudice.
        Hi Reini

        I'm not sure what you mean... the editor should parse the code for all occurrences of BEGIN, CHECK and UNITCKECK and wrap each block with "use Safe" and "no Safe"?

        Regarding the described problems to parse for such blocks I have no idea how to achieve this reliably withot adding a hook to Perl's parser.

        Please see Intercepting compile time blocks like BEGIN {} for more detailed description of what I mean.

        Cheers Rolf

Re: Vulnerabilities when editing untrusted code... (Komodo)
by mtve (Chaplain) on Jul 01, 2010 at 09:50 UTC

    your approach wouldn't help:

    exit; ''=~('(?{B'.'EGIN{print "owned"}})')

    see also Acme::EyeDrops

      Really???

      lanx@nc10-ubuntu:~$ cat >/tmp/tst.pl exit; ''=~('(?{B'.'EGIN{print "owned\n"}})') lanx@nc10-ubuntu:~$ perl /tmp/tst.pl owned lanx@nc10-ubuntu:~$ perl -c /tmp/tst.pl /tmp/tst.pl syntax OK

      A syntax check doesn't execute your code!

      UPDATE:

      corrected test:

      lanx@nc10-ubuntu:/tmp$ cat >tst.pl exit; ''=~('(?{B'.'EGIN{print "owned"}})') lanx@nc10-ubuntu:/tmp$ cat tst.pl exit; ''=~('(?{B'.'EGIN{print "owned"}})') lanx@nc10-ubuntu:/tmp$ perl -c tst.pl tst.pl syntax OK ownedlanx@nc10-ubuntu:/tmp$

      WOW! 8(

      Cheers Rolf

        well, it actually executes for me:
        $ perl -c tst.pl owned tst.pl syntax OK $ perl -MO=Deparse tst.pl owned exit; '' =~ /(?{BEGIN{print "owned\n"}})/; tst.pl syntax OK $ perl --version This is perl, v5.10.0 built for x86_64-linux-gnu-thread-multi Copyright 1987-2007, Larry Wall Perl may be copied only under the terms of either the Artistic License + or the GNU General Public License, which may be found in the Perl 5 source ki +t. Complete documentation for Perl, including FAQ lists, should be found +on this system using "man perl" or "perldoc perl". If you have access to + the Internet, point your browser at http://www.perl.org/, the Perl Home Pa +ge. $

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlmeditation [id://842303]
Front-paged by Arunbear
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (7)
As of 2014-08-23 19:21 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (178 votes), past polls