Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

comment on

( [id://3333]=superdoc: print w/replies, xml ) Need Help??
When downloading a CPAN module I quite blindly trust it to make no harm to my machine (which is stupid I know) but a recent blog post pointed to some code that is not (yet) on CPAN and I started to think how could I check if I can run that code safely on my machine?

I guess the best would be to create a new user and run it as that user but that sounds like too much work on one hand and not good enough on the other hand. (e.g. the code could still send out information about my machine)

So I was wondering how could I check if a the code is secure? I could read it hoping that I will recognize issues but that might be too much work and I can easily miss the important part. I think a better approach would be to check for any code that might be dangerous and check only that part.

I was thinking what could be dangerous and here is a short list I came up with:

The use of system, exec, qx, backtick, string eval, open with pipe, unlink.

I am sure I missed a few. Any other expression that you think might be dangerous?

Of course loading of any module via use, require or do would expose us to further dangers so I need to do the above check on all the modules that are loaded by the code recursively. That's still the same thing as above.

The last piece here is to make sure we know which files are actually loaded by the code so if I check /home/foo/code/File.pm I can be sure that file will be loaded and not some other File.pm i have not checked. For this I need to check for the appearance of use lib and @INC in the code.

I am quite sure I am not the first one to need this. Any solution that you might know of?


In reply to Is this code secure, can I test it on my machine? by szabgab

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others about the Monastery: (7)
As of 2024-03-28 21:43 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found