Taint tracing a single variable?

PFudd has asked for the wisdom of the Perl Monks concerning the following question:

Hi all,

I have to maintain a legacy CGI script, and recently discovered that it uses the header 'X-Forwarded-For' without validation. I would like to trace where that unvalidated data can get to.

I don't think I can turn on real taint checking; the program is too big, too old, and too crufty. I think too many things will break, and so this technical debt goes unpaid.

Is there a way to just say 'follow this value' and see where it goes? That is, if it's used as the input to a function, then start following the output of the function as well, in just the same way as real taint checking does?

I hope that by the time it gets stuck into a file or a database that it's been escaped and I'm safe from SQL injection attacks, but I'm stuck in a maze of twisty passages, all alike. I'm overwhelmed.

As I'm not sure if I can test every code path, is a static code analyzer what I need?

I've briefly looked at the Taint and Taint::Runtime man pages, but I don't know if they can help. I also looked at Tie::Watch, but it looks like I'd have to run the program, add watchpoints to new variables, run the program, add watchpoints to more new variables, etc.

Thanks!

Comment on Taint tracing a single variable?

Replies are listed 'Best First'.
Re: Taint tracing a single variable? by Anonymous Monk on May 16, 2014 at 02:56 UTC
Tie::Trace - easy print debugging with tie, for watching variable But, FWIW, "taint" is about system calls (perlsec), it won't save you from sql injection (bobby-tables.com: A guide to preventing SQL injection in Perl)... X-Forwarded-For isn't likely to be involved where taint would complain Essential CGI Security Practices,CGI/Perl Taint Mode FAQ, Tutorials: Security in CGI Programming, Think beyond Taint and warnings ...	[reply]
Re: Taint tracing a single variable? by RonW (Parson) on May 16, 2014 at 16:39 UTC
I would suggest adding more validation of the expected inputs and removing unexpected inputs. You might still consider trying to use taint. Seeing what breaks could help you find some of the vulnerabilities in the program. Also, there is the `tainted` function which you can use yourself. Any place in the code where potentially malicious data could be a problem, the `tainted` function can be used to help detect unsanitized input. However, it would really be better to add more validation to the programming so that all of the inputs are either properly validated or removed. If all else fails, you could "wrap" the program with a "sanitizing proxy" that cleans up the inputs then forwards the cleaned CGI request to your legacy CGI.	[reply] [d/l] [select]
Re^2: Taint tracing a single variable? by PFudd (Initiate) on May 21, 2014 at 18:03 UTC
I've decided to bite the bullet and just taint-check the whole thing. Once the CGI params have been detainted properly, then I can add a manual taint to the X-Forwarded-For value and see what tainted() will show, closer to the DBI calls. Does DBI do taint checking on its own? Thanks!	[reply]
Re^3: Taint tracing a single variable? by RonW (Parson) on May 21, 2014 at 21:35 UTC
I would be surprised if DBI had taint checking built in. But I've never actually tried to test that.	[reply]