Path Traversal Vulnerability

Rishi2Monk has asked for the wisdom of the Perl Monks concerning the following question:

Checkmarx finds the below code is not safe says Path traversal vulnerable

Source:
        open(EXEC, "-|", "find $con_folder -name '*contribution.hygien
+e*' ");
        @contribution_hygiene_report_name = <EXEC>;
           :
           :

Destinamtion:
        open(EXEC, "-|", "echo \"$filename\n$contribution_preget_repor
+t_name[0]\n$contribution_hygiene_report_name[0]\n$concfile\n$rpt_path
+\n$concdir\n\" | uda_consolidate.pl 2 >> /dev/null");
        $report_file = <EXEC>;
[download]

Kindly help me with possible and best solution to fix these kind of issues

Comment on Path Traversal Vulnerability Download Code

Replies are listed 'Best First'.
Re: Path Traversal Vulnerability by haukex (Archbishop) on Dec 27, 2022 at 07:09 UTC
Yes, the code isn't safe - see my node Calling External Commands More Safely. In the first case, I recommend using File::Find or File::Find::Rule instead of shelling out to `find`. In the second case, since you're apparently piping things to the command and from the command, I would suggest IPC::Run3 (assuming the input and output are not too big, as the module usually works via temporary files) - but it would also be worth looking into whether `uda_consolidate.pl` could be designed as a module callable directly from your script.	[reply] [d/l] [select]
Re^2: Path Traversal Vulnerability by Rishi2Monk (Novice) on Dec 27, 2022 at 08:51 UTC
Thanks for your quick reply. Unfortunately, my current perl does not support either IPC::Run or IPC::Run3 and I could not install it as it needs access permissions. Can you please kindly let me know, if there is way to solve with open() or system()?	[reply]
Re^3: Path Traversal Vulnerability by Corion (Patriarch) on Dec 27, 2022 at 08:54 UTC
See Yes, even you can use CPAN , or alternatively copy the source code into your project.	[reply]
Re^3: Path Traversal Vulnerability by haukex (Archbishop) on Dec 27, 2022 at 09:00 UTC
In addition to what Corion said, I already answered that question. In the case of the `find`, File::Find is a core module. And in the case of the Perl script, you can modify it so that it is directly callable from your Perl script, or at the very least, you can modify it so that it supports input and output via files (if it doesn't already), that is very easy to do in Perl, then you can call it with a multi-argument system as I describe in the node I linked to.	[reply] [d/l]
A reply falls below the community's threshold of quality. You may see it by logging in.