Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

Safe.pm: Which parameter for permit_only?

by karlgoethebier (Abbot)
on Jun 13, 2014 at 11:08 UTC ( [id://1089808]=perlquestion: print w/replies, xml ) Need Help??

karlgoethebier has asked for the wisdom of the Perl Monks concerning the following question:

Hi all,

i use the cc tool that comes with Astaro firewalls to get some information about the status of several tunnels (cc get_ipsec_status).

The output is pure Perl, like this:
{ 'foo' => 'bar', 'nose' => 'cuke', }

For some paranoid reasons, i considered using Safe to read this output:

use Safe; use strict; use warnings; use Data::Dumper; undef $/; my $string = <DATA>; my $compartment = Safe->new(); # $compartment->permit_only(qw(???)); # <-- my $hash_ref = $compartment->reval($string); die $@ if $@; print Dumper($hash_ref); __DATA__ # qx(); { 'foo' => 'bar', 'nose' => 'cuke', } __END__ 'quoted execution (``, qx)' trapped by operation mask at (eval 6) line + 1, <DATA> chunk 1. $VAR1 = { 'foo' => 'bar', 'nose' => 'cuke' };

This works - if i uncomment qx() this gets trapped as one can see in the output of my script.

Safe uses per default the :default tag from Opcode which is a shorthand for :base_core :base_mem :base_loop :base_orig :base_thread.

Too much. What parameter must i pass to permit_only only for reading this data structure? I couldn't figure out this by reading the Opcode manpage :-(

Update:

First, thanks to all for answering. I wasn't in office this week due to a little illness so my answer is a bit late, sorry.

But my proxy fiddled out this by Trial-And-Error:

$compartment->permit_only(qw(lineseq padany const leaveeval pushmark l +ist anonhash));

Strange enough. It seems like this works nice with v5.16.3 but please see what happens:

karls-mac-mini:monks karl$ perl -v This is perl 5, version 16, subversion 3 (v5.16.3) built for darwin-2l +evel karls-mac-mini:monks karl$ ./testomato.pl { 'foo' => 'bar', 'nose' => 'cuke', }; { foo => "bar", nose => "cuke" } karls-mac-mini:monks karl$ perlbrew use perl-5.17.7 karls-mac-mini:monks karl$ ./testomato.pl { 'foo' => 'bar', 'nose' => 'cuke', }; { foo => "bar", nose => "cuke" } karls-mac-mini:monks karl$ perlbrew use perl-5.18.0 karls-mac-mini:monks karl$ ./testomato.pl { 'foo' => 'bar', 'nose' => 'cuke', }; 'ref-to-glob cast' trapped by operation mask at (eval 5) line 1, <DATA +> chunk 1. undef karls-mac-mini:monks karl$ perlbrew use perl-5.18.1 karls-mac-mini:monks karl$ ./testomato.pl { 'foo' => 'bar', 'nose' => 'cuke', }; 'ref-to-glob cast' trapped by operation mask at (eval 5) line 1, <DATA +> chunk 1. undef

Very bad... seems like it depends on the version of Perl...

See also

Thank you very much for any hint and best regards,

Karl

«The Crux of the Biscuit is the Apostrophe»

Replies are listed 'Best First'.
Re: Safe.pm: Which parameter for permit_only? (Safest Undumper of Data::Dumper)
by Anonymous Monk on Jun 13, 2014 at 13:18 UTC
    Whittled it down even more to get "Safest Undumper of Data::Dumper" :p
    sub SafestUndumper { my $s = Safe->new; $s->permit_only( "anonlist", "anonhash", "pushmark", # perlcall says "PUSHMARK macro tells Perl to make a mental note of th +e current stack pointer." "const", "undef", "list", "lineseq", "padany", "leaveeval", # needed for Safe to operate, is safe without +entereval ); $s->reval(@_); }
Re: Safe.pm: Which parameter for permit_only?
by Anonymous Monk on Jun 13, 2014 at 11:35 UTC
    Data::Undump?

    Tips

    I think safest approach is start denying stuff from defaults until it stops working, then dump the opcodes remaining

    My try at the other way didn't work (  qw/ sassign  anonhash pushmark const anonlist nextstate enter list rv2cv / is not enough)

Re: Safe.pm: Which parameter for permit_only?
by Anonymous Monk on Jun 13, 2014 at 12:38 UTC
    #!/usr/bin/perl -- use strict; use warnings; use Data::Dump qw/ dd /; use Safe; use Opcode; my %full = map { $_ => Opcode::opdesc( $_ ) } Opcode::opset_to_ops( Opcode::full_opset() ); my @wanted = grep { exists $full{$_} } ( "anonlist", "anonhash", "pushmark", "const", "undef", "kvaslice", "kvhslice", "list", "lineseq", "padsv", "padav", "padhv", "padany", "padany", "leaveeval", ## $@ tells you about it :) ); #~ dd( \%full ); #~ dd( \@wanted ); my $s = Safe->new; $s->permit_only( @wanted ); my @its = ( q{ [ 1, [ 2, [ 3e4 , undef ] ] ] }, q{ { a => { b=> { c=> { 1e6, undef, }, }, }, } }, ); dd( { -REV, [ $s->reval( $_ ) ] }, { -ERR, "$@" } ) for @its; __END__

      Mmh, this results in:

      ( { -REV => [] }, { -ERR => "'ref-to-glob cast' trapped by operation mask at (eval 5) +line 1.\n", }, ) ( { -REV => [] }, { -ERR => "'ref-to-glob cast' trapped by operation mask at (eval 7) +line 1.\n", }, )

      Regards, Karl

      «The Crux of the Biscuit is the Apostrophe»

        works fine for me in 5.8.8 and 5.16.1 ... there is no rv2gv opcode in the code being revaled
Re: Safe.pm: Which parameter for permit_only?
by lost953 (Acolyte) on Sep 24, 2019 at 22:05 UTC
    An updated list that works with 5.26.3 and works with all the dumped output I have seen so far.
    use constant ALLOWED_OPS => qw( anonhash anonlist const leaveeval lineseq list padany pushmark repeat rv2gv stringify undef );

      Thanks lost953 for your kind reply! That is the progress 😎. Unfortunately (or luckily) neither the firewall mentioned nor my job exist after 5 years. Best regards, Karl

      «The Crux of the Biscuit is the Apostrophe»

      perl -MCrypt::CBC -E 'say Crypt::CBC->new(-key=>'kgb',-cipher=>"Blowfish")->decrypt_hex($ENV{KARL});'Help

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://1089808]
Approved by marto
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others exploiting the Monastery: (4)
As of 2024-03-29 12:39 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found