Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Taint mode testing a module

by mrider (Sexton)
on Oct 17, 2012 at 18:27 UTC ( #999594=perlquestion: print w/ replies, xml ) Need Help??
mrider has asked for the wisdom of the Perl Monks concerning the following question:

Sorry, I'm sure this has to been asked before, but I just can't find an answer. RTFM with a link would be an adequate answer. :)

I'm writing a module for the program I'm working on. I figure that since I'm writing it as a Perl Module, I might as well do it right such that it can be built, tested, and used elsewhere - rather than just importing it into this one program. And since I'm doing that work anyway, I figured I'd add code to work with tainted data. My program will be a compiled exe (via Perl Packer) and won't be exposed to any tainted data. However, I may find more uses for the module, and so I figure I should think about this now.

My actual code isn't important. What is important is that my unit tests check to make sure the taint mode code I added works properly. What I can't figure out is how to modify the unit tests such that they use taint mode. I used h2xs -AXc -n MyModule to create a module directory. Now I have a file in ./MyModule/t/MyModule.t that looks like this:

# Before `make install' is performed this script should be runnable wi +th # `make test'. After `make install' it should work as `perl MyModule.t +' ######################### # change 'tests => 1' to 'tests => last_test_to_print'; use Test::More tests => 1; BEGIN { use_ok('MyModule') }; ######################### # Insert your test code below, the Test::More module is use()ed here s +o read # its man page ( perldoc Test::More ) for help writing this test scrip +t.

Do I modify this file to enable taint mode? If not, then how do I tell Perl that I want taint mode for this (or a similar) test? I tried running the test via perl -T ./t/MyModule.t , but since everything is in subdirectories, I got tons of failures from things not being where they were expected.

Comment on Taint mode testing a module
Download Code
Re: Taint mode testing a module
by Tanktalus (Canon) on Oct 17, 2012 at 19:50 UTC

    Generally, if your .t file starts as:

    #!/usr/bin/perl -T
    then your test will be run in taint mode. It's then up to you to figure out how to get the rest of your information in a taint-safe manner. :-) (Generally, I turn it off, it's too much of a headache for my use cases, I think... but maybe I just misunderstand it.)

      Thanks for that, but I think you misunderstand the question. I know how to turn on taint mode for a program. What I don't know how to do is turn on taint mode for a unit test that is run specifically as part of installation of a module.

      For example, if you use CPAN and install "Foo", then CPAN performs roughly the equivalent of the following steps:

      1. wget http://somefakesite.site/Foo.0.0.1.tar.gz
      2. tar -xzf Foo.0.0.1.tar.gz
      3. cd Foo.0.0.1
      4. perl Makefile.PL
      5. make
      6. make test
      7. make install (Assuming the tests in #6 pass of course)

      What I'd like to know is if it's possible for me to test with taint mode on as part of that step in #6.

        No, I think I perfectly understood. Maybe you missed the part in my previous post that said "if your .t file starts as..." That is, if one of your test files starts with that hash-bang line, even if you're on Windows, "make test" will run it under taint mode. (I don't think ExtUtils::* has anything to do with this, I think it's just that when the perl subprocess starts up, it reads that first line and interprets it.) If other unit test files do not have the -T, then those test files will not run under taint.

        Test::Taint is related, but it won't do you much good without that -T flag on the hash-bang line.

        I suspect you're thinking this is harder than it appears :-)

        Remember that each .t file really is just a .pl file with a different extention denoting its purpose (test). Everything beyond that is simply convention. By convention, .t files test. By convention, .t files output TAP. By convention, .t files are only run by a TAP harness (such as prove). By unfortunate hysterical raisins, .t files are run with the -w flag given to perl.

Re: Taint mode testing a module
by Khen1950fx (Canon) on Oct 17, 2012 at 20:33 UTC
    I would start by testing for untaintedness. For example, your script to test loading shouldn't be tainted. Take a look at Test::Taint by petdance. It doesn't get any better than that.
      Awesome! That was precisely what I was looking for. Thanks!!

      And yes, I'm testing non-tainted mode first. I just want to make sure that my code behaves well with the taint flag now while I'm working on it and it's fresh in my mind, rather than being surprised a few weeks, months, or even years down the road.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://999594]
Approved by nemesdani
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (13)
As of 2014-10-25 14:42 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    For retirement, I am banking on:










    Results (143 votes), past polls