Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation
 
PerlMonks  

Security Checks for CPAN Module Authors

by localshop (Monk)
on Oct 22, 2018 at 09:44 UTC ( [id://1224470]=perlquestion: print w/replies, xml ) Need Help??

localshop has asked for the wisdom of the Perl Monks concerning the following question:

As part of trying to work with CPAN I noticed the CPAN::Audit module in the recently updated list and it looks kinda useful as a general maintenance tool - going through the modules installed on my laptop and updating any that have security issues.

It occurred to me that I should probably ensure that any CPAN modules do not include dependencies with known security issues. Even though these are often pretty trivial, it would seem to make the module more robust if any dependencies have minimum versions specified that resolve the know issues.

Does anybody have advice on whether this is standard practice or whether there are any issues that I may find if I start putting in these minimum version requirements?

  • Comment on Security Checks for CPAN Module Authors

Replies are listed 'Best First'.
Re: Security Checks for CPAN Module Authors
by cavac (Parson) on Oct 22, 2018 at 10:37 UTC

    This might not be as trivial as you'd imagine. For example, a module might pull in some unsafe hashing algorithm module (like MD5) dynamically when asked to do so or as fallback option. Depending on a lot of circumstances, this might be a huge security problem (passwords without salt) or it might be OK to do so in support of some nonsecurity-related legacy requirement. And in the case of your application, it might not even load the module, just require it to be installed "just in case".

    perl -e 'use MIME::Base64; print decode_base64("4pmsIE5ldmVyIGdvbm5hIGdpdmUgeW91IHVwCiAgTmV2ZXIgZ29ubmEgbGV0IHlvdSBkb3duLi4uIOKZqwo=");'
[reply]
[d/l]

      I was thinking a little less granular.

      For example if I run cpan-audit installed I see a warning for PathTools <3.62 so if I use File::Spec I simply enforce minimal version so that the Module user performs an update of this module.

      Actually that specific module probably not a great example as it's part of Core bundled packages but you get the idea. So wasn't thinking about going down to specific encryption algols etc but just looking at modules with versions that have security advisories that are simple enough to set minimal versions on without forcing a Perl version upgrade.

[reply]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://1224470]
Approved by marto
Front-paged by marto
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others pondering the Monastery: (5)
As of 2024-04-18 13:02 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found