Uncontrolled Memory Allocation

Rishi2Monk has asked for the wisdom of the Perl Monks concerning the following question:

Checkmarx, a static analyzer tool is throwing security issue with the below code, saying that $file_list is accessing Uncontrolled Memory Allocation.

    open ( INFILE, "<", "$inputfile" ) || die( "Cannot read list file 
+$inputfile" );

    while ( <INFILE> )
    {
        $file = $_;
        chomp ( $file );
        $file_list{$file} = "1";
    }
[download]

I tried to restrict the size of the hash variable as mentioned below but the error is not resolved.

        if(length($file) <= (1 * 1024 * 1024))
        {
            $file_list{$file} = "1";
        }
[download]

Kindly help me to understand the reason as the above code looks ok to me.

Comment on Uncontrolled Memory Allocation Select or Download Code

Replies are listed 'Best First'.
Re: Uncontrolled Memory Allocation (updated) by haukex (Archbishop) on Sep 12, 2023 at 13:36 UTC
Update: How did you solve the problem 9 months ago when you posted Uncontrolled Memory Allocation Error? /Update The code looks relatively ok to me too. Concerning your attempted workaround, that's only checking the length of each line, not the whole file. There are lots of ways one could ensure the file is not longer than a certain size, like stat, -X, $. combined with checking the length of each line, checking the size of the hash, ... but I don't know which of these this "Checkmarx" tool will accept. Repeating myself from ~9 months ago: Checkmarx is giving you the error, so Checkmarx also needs to tell you how to fix it.	[reply]
Re: Uncontrolled Memory Allocation by bliako (Abbot) on Sep 12, 2023 at 14:14 UTC
This hopefully deciphers the error message `Uncontrolled Memory Allocation` https://stackoverflow.com/questions/64169882/how-to-solve-checkmarxs-issue-uncontrolled-memory-allocation Though Corion and haukex seem to have diagnosed it correctly. In plain words, you allow an external source (the size of the file and the size of each line of the file) to dictate to your program how much memory to allocate for reading it in, risking memory exhaustion. You need to keep Checkmarx happy and your supervisor happy. CheckKarlMarx would have said "a spectre is haunting you". Also, it has been crosposted https://stackoverflow.com/questions/77089585/uncontrolled-memory-allocation-error-in-perl	[reply] [d/l]
Re^2: Uncontrolled Memory Allocation by ikegami (Patriarch) on Sep 14, 2023 at 12:52 UTC
My answer from there There are two ways in which the size of the hash is dependent on user data. The length of the lines. The number of unique lines. Your check accounts for one, but not the other. Mind you, `<INFILE>` alone "suffers" from "uncontrolled memory allocation". If you allow that, what's the point in limiting the size of the hash?	[reply] [d/l]
Re: Uncontrolled Memory Allocation by Corion (Patriarch) on Sep 12, 2023 at 13:31 UTC
Your first step is to understand what the security issue does mean and what kind of attack it tries to prevent. The next step is to check if there are sane limits you can apply to prevent the issue. In the case of my interpretation of Uncontrolled Memory Allocation, maybe you can restrict the length of the lines used in `%file_list` to a certain maximum and stop the program otherwise. Maybe you can alternatively also argue what the maximum memory allocated by this loop is, and ensure that the machines have enough memory.	[reply] [d/l]
Re: Uncontrolled Memory Allocation by karlgoethebier (Abbot) on Sep 13, 2023 at 20:59 UTC
“Editing is a rewording activity.“ (Alan Perlis) You really should finally write it like this: `open my $fh, '<', $file or die "$file: $!";` Or even more compact: `use autodie; open my $fh, '<', $file;` [download] See autodie. You can choose the name of the filehandle as you like, e.g. like this: `open my $gizmo, '<', $file;` Or whatever. It doesn't really matter. Look again here. «The Crux of the Biscuit is the Apostrophe»	[reply] [d/l] [select]