When downloading a CPAN module I quite blindly trust it to make no harm to my machine (which is stupid I know) but a recent blog post pointed to some code that is not (yet) on CPAN and I started to think how could I check if I can run that code safely on my machine?

I guess the best would be to create a new user and run it as that user but that sounds like too much work on one hand and not good enough on the other hand. (e.g. the code could still send out information about my machine)

So I was wondering how could I check if a the code is secure? I could read it hoping that I will recognize issues but that might be too much work and I can easily miss the important part. I think a better approach would be to check for any code that might be dangerous and check only that part.

I was thinking what could be dangerous and here is a short list I came up with:

The use of system, exec, qx, backtick, string eval, open with pipe, unlink.

I am sure I missed a few. Any other expression that you think might be dangerous?

Of course loading of any module via use, require or do would expose us to further dangers so I need to do the above check on all the modules that are loaded by the code recursively. That's still the same thing as above.

The last piece here is to make sure we know which files are actually loaded by the code so if I check /home/foo/code/File.pm I can be sure that file will be loaded and not some other File.pm i have not checked. For this I need to check for the appearance of use lib and @INC in the code.

I am quite sure I am not the first one to need this. Any solution that you might know of?

In reply to Is this code secure, can I test it on my machine? by szabgab

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.