in reply to Re^2: Extending a perl program with Scheme, Lua, or JS
in thread Extending a perl program with Scheme, Lua, or JS

Thanks for the warning, but as mentioned in the OP, it's not a web app.
  • Comment on Re^3: Extending a perl program with Scheme, Lua, or JS

Replies are listed 'Best First'.
Re^4: Extending a perl program with Scheme, Lua, or JS
by hippo (Archbishop) on Feb 10, 2019 at 11:57 UTC

    That's OK. Injection attacks are equally plausible against non-web apps too. Indeed the very example to which Brother afoken drew your attention did not attack web apps, predating the web as it did. If you are writing scripts of any sort and not using taint mode you will reap what you sow.

[reply]

      That's OK. Injection attacks are equally plausible against non-web apps too. Indeed the very example to which Brother afoken drew your attention did not attack web apps, predating the web as it did. If you are writing scripts of any sort and not using taint mode you will reap what you sow.

      I guess you're referring to the Morris worm? Hm...if I try to imagine an exploit using this functionality in my GUI app, I don't really think it would have much to do with shelling out or code injection. The purpose of this extension mechanism is to let the user execute their own arbitrary code. So I guess I could do a kind of Trojan horse attack, where I would put malicious code in the file containing my students' grades, then send the file to other people and try to get them to open the file. This seems a little implausible both because my user base is extremely small and because normally people aren't showing other people their students' grades, unless it's something like a TA showing them to the main instructor for a course.

      But in principle you're right, and that's probably an argument for using either a small, non-Turing complete language or a language that can be sandboxed. It looks like I'm going to use Guile, and Guile does have a sandboxing method in versions 2.2.1+.

[reply]

        Note that the whole shelling out security issues only arise if one actually calls the shell. There are plenty of ways to avoid that, especially on *NIX - I wrote a longer node about exactly that topic (with example code) here.

        And yes, I agree that you should definitely sandbox any code you run. I know this is possible in Lua, and it should apply to JavaScript as well, although I haven't looked at JE closely enough yet to say if that's the default behavior. OTOH sandboxing Perl is quite difficult.

[reply]
Re^4: Extending a perl program with Scheme, Lua, or JS
by Anonymous Monk on Feb 10, 2019 at 13:25 UTC
    Forget attacks protect against stjpix typos that cost you data
[reply]

In Section Seekers of Perl Wisdom