Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Security issue and solution for terminal command accessed by public user

by keenlearner (Acolyte)
on Jul 06, 2012 at 16:43 UTC ( #980321=perlquestion: print w/ replies, xml ) Need Help??
keenlearner has asked for the wisdom of the Perl Monks concerning the following question:

Hi,

I am trying to make a web base application to convert between units by using the command program called "units" http://linux.die.net/man/1/units

Basically the web application will get the input of a number, from-unit, to-unit then get the result by calling the terminal with perl.

my $output = `units '$number $from_unit' '$to_unit'`; print $output; # the output will be send back to the user browser

What security issue will be the consequence of this ? If any, how to solve the issues ?

Thanks

Comment on Security issue and solution for terminal command accessed by public user
Download Code
Re: Security issue and solution for terminal command accessed by public user
by Anonymous Monk on Jul 06, 2012 at 17:00 UTC

    What security issue will be the consequence of this ? If any, how to solve the issues ?

    You can avoid them by avoiding the shell and using these

    Math::Calc::Units - Human-readable unit-aware calculator

    Physics::Unit - Manipulate physics units and dimensions

      Hi, thanks for your suggestion.

      I have looked into some perl modules for unit conversion, the Physics::Unit is quite complete but still the "units" program is more complete, which provide around 2526 units of conversion.

      Still, the "units" is the preferable choice for the application. I have seen a number of perl module make use of external command line. Aha, I think I have to read their source code and see how they wrap the code. Or is there a tutorial for this ?

      Thanks.

        AnonyMonk suggested avoiding the shell for numerous very good reasons -- some of which would likely be those I would cite: if you use the shell and the external program, you've increased complexity; likely have opened some exploitable security gaps, and added overhead for your server. Unless you think the variety of conversions done by the external program outweigh all of those, heed AM's advice.

        And, in any case, be aware you're reinventing the wheel! Is there some really valid reason to create and invent/install your own wheels, gears, and interfaces when a simple search -- for "unit conversions" or even "conversions" will turn up many existing (and mostly, free) services?

        And, please, read the instructions around the text-entry box. Use <p>...</p> around paragraphs; <c>...</c> around code and data. <pre> tags make your nodes hard to read or bork the rendering for some Monks.

        or is there a tutorial for this ?

        Can you find a tutorial for this?

Re: Security issue and solution for terminal command accessed by public user
by BrowserUk (Pope) on Jul 06, 2012 at 18:31 UTC

    The simple solution is to only accept values that match numeric values and known units:

    use Regexp::Common; my %units = map ($_,1), qw[ miles kilometers pounds kilograms ... ]; my( $num, $from, $to ) = getUserInput(); die 'Bad number input' unless $num =~ /^\s*$RE{num}{real}\s*$]; die 'Bad units input' unless exists $units{ lc $from } and exists $units{ lc $to ); my $res = `units $num $from $to`;

    With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
    Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
    "Science is about questioning the status quo. Questioning authority".
    In the absence of evidence, opinion is indistinguishable from prejudice.

    The start of some sanity?

        Why?


        With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
        Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
        "Science is about questioning the status quo. Questioning authority".
        In the absence of evidence, opinion is indistinguishable from prejudice.

        The start of some sanity?

      Hi Thanks, I have thought of this. But I was wondering if there's a lazy way to bypass this method, cause then I have to find all the supported units and list in the perl code, that's not a big problem but if in the future if I add a new unit in "units", then have to add in the code also.

        It is the safest way.

        If you trust the quoting modules to handle everything a malicious user might throw at it, buffer overflow attempts and all the other 'ploits the devious minds must expend hundreds of hours dreaming up, go for it.

        I'm not the paranoid type, but I see the ongoing arms race seemingly undampened by the millions of dollars and thousands of hours of expertise that large organisations like MS, Google, Apple et al. throw at similar problems. Am I going to trust the efforts of a lone CPAN author, given that the bad guys have only to download the module to look inside to search for weaknesses?

        When the alternative is safer and actually easier, why risk it.


        With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
        Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
        "Science is about questioning the status quo. Questioning authority".
        In the absence of evidence, opinion is indistinguishable from prejudice.

        The start of some sanity?

Re: Security issue and solution for terminal command accessed by public user
by aaron_baugher (Deacon) on Jul 07, 2012 at 03:41 UTC

    Consider if someone enters this as the 'number': 1 foot' 'inches'; rm -rf /; echo '

    You could sanitize the input by making sure the number is really a number -- only digits and decimal point, that kind of thing (though that's trickier than it sounds, if you want to allow commas/underscores in long numbers, scientific notation, etc.). You can make the user choose from a selection of unit types, and verify that they selected a valid one from a list (because it's trivial to circumvent browser restrictions on that kind of thing). It would also help to open a pipe to/from units (with no command-line arguments) and pass the values to it in interactive mode, where bad inputs shouldn't be as dangerous as they can be on the command line.

    Or you can use one of the conversion modules suggested above. Of course, then you're counting on those modules to handle dangerous inputs properly, so you should probably still sanitize your data as much as possible.

    Aaron B.
    Available for small or large Perl jobs; see my home node.

      Hi,

      Thanks, that Pipe mode and interactive mode is a great answer. I think it solve most of the problem. The units does have the interactive mode.

        I would, if you decide to go that route, carefully comment why you're doing it that way, so someone doesn't later come along and decide it would be more "efficient" to change it to
        system "$unaltered_user_input";
        and open you up to the security issues again.

        I might also ask, will you really need every conversion that units can do? Or do you have a small set of conversions that can be encapsulated in a few dozen lines at the most? The investment in a bit of conversion code that is definitely safe, versus a security problem waiting to happen, is probably worth it.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://980321]
Approved by planetscape
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (14)
As of 2014-08-27 20:25 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (252 votes), past polls