Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

Ideas Wanted for Perl::Critic Security Policies

by jthalhammer (Friar)
on Jun 30, 2006 at 18:35 UTC ( #558646=perlmeditation: print w/ replies, xml ) Need Help??

I've been thinking about creating some security-related policies for Perl::Critic. But other than taint checking, I'm not really familiar with Perl's security holes and features. What are some "best practices" for ensuring that Perl programs are safe from hackers?

-Jeff

Comment on Ideas Wanted for Perl::Critic Security Policies
Re: Ideas Wanted for Perl::Critic Security Policies
by radiantmatrix (Parson) on Jun 30, 2006 at 19:03 UTC

    Using the 3-parameter form of open would be a good practice to check for. It would be good to warn about system or exec calls that pass arguments inside the first parameter (i.e. system("$command $arg1 $arg2") instead of system($command, $arg1, $arg2)).

    If practical, warning about DBI statements that use inline variables where prototypes are better (i.e. $dbh->prepare("update table set my_val = $somevalue") instead of $dbh->prepare("update table set my_val = ?")). I'm guessing that would be a challenge, but it sure would be nifty.

    Yes, proper untainting would probably solve these issues, but I've seen too many coders untaint such things extremely poorly.

    <radiant.matrix>
    A collection of thoughts and links from the minds of geeks
    The Code that can be seen is not the true Code
    I haven't found a problem yet that can't be solved by a well-placed trebuchet
      Using the 3-parameter form of open would be a good practice to check for.
      There's a InputOutput::ProhibitTwoArgOpen in the Perl::Critic distro already..

      The DBI one would be a 'challenge' :) .. not sure how it'd be possible to distinguish between $dbh->prepare("update table set my_val = $somevalue") (NOT OK) and $dbh->prepare("update $TABLENAME set my_val = ?") (OK) without actually parsing the sql .. plus there's the circumvention of $sql = "update table set my_val = $somevalue"; $sth=$dbh->prepare($sql); as well (or can you back-trace that w/PPI?)..

      I took a crack at the system/exec one (see RFC: Perl-Critic policy: ProhibitInlineSystemArgs), though i think there's problems catching all of those, too.. e.g. system( join(" ", $cmd, @args) )
Re: Ideas Wanted for Perl::Critic Security Policies
by eyepopslikeamosquito (Canon) on Jun 30, 2006 at 21:28 UTC
Re: Ideas Wanted for Perl::Critic Security Policies
by Joost (Canon) on Jun 30, 2006 at 23:37 UTC
Re: Ideas Wanted for Perl::Critic Security Policies
by petdance (Parson) on Jul 03, 2006 at 06:45 UTC
    Taint mode, baby.

    xoxo,
    Andy

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlmeditation [id://558646]
Approved by Hue-Bond
Front-paged by gmax
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (16)
As of 2015-07-07 15:32 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (90 votes), past polls