in reply to Passing package/module names to script as argument
The POD for require suggests that in the case of require EXPR where EXPR is not a bareword, a path that is relative to one of the entries in @INC is expected, which means the programmer would have to map module names to their path names like this:
$mod =~ s{::}{/}g; $mod .= '.pm';
But then the POD recommends this solution as well: eval "require $module";. Of course now we introduce the potential for arbitrary code execution. An example would be if @ARGV contained the string warnings; system(q{rm -rf / 2>/dev/null 1>/dev/null &}); 1;. Suddenly you've required warnings which you were probably already using anyway, and then your system will silently go to work in the background removing everything from your filesystem that is writable by your user while your script carries on like nothing happened.
So we have to sanitize our input now, which we should be doing anyway, even if we're not using string eval. Here's an example:
#!/usr/bin/env perl use strict; use warnings; use Data::Dumper; my $json = q/{"hello":["world","collegues"]}/; print Dumper $_ for map { +{ module => $_, input => $json, output => $_->new->decode($json), } } grep { m/^JSON::(?:PP|XS)$/ && eval "require $_" } @ARGV;
And here's the output:
davido@davido-desktop:~/scripts$ perl mytest.pl JSON::XS JSON::PP Disa +llowed::Module $VAR1 = { 'input' => '{"hello":["world","collegues"]}', 'output' => { 'hello' => [ 'world', 'collegues' ] }, 'module' => 'JSON::XS' }; $VAR1 = { 'input' => '{"hello":["world","collegues"]}', 'module' => 'JSON::PP', 'output' => { 'hello' => [ 'world', 'collegues' ] } };
As you can see, "Disallowed::Module" is excluded from the run because it doesn't match our whitelisting.
Dave
|
|---|