in reply to Ideas Wanted for Perl::Critic Security Policies

Using the 3-parameter form of open would be a good practice to check for. It would be good to warn about system or exec calls that pass arguments inside the first parameter (i.e. system("$command $arg1 $arg2") instead of system($command, $arg1, $arg2)).

If practical, warning about DBI statements that use inline variables where prototypes are better (i.e. $dbh->prepare("update table set my_val = $somevalue") instead of $dbh->prepare("update table set my_val = ?")). I'm guessing that would be a challenge, but it sure would be nifty.

Yes, proper untainting would probably solve these issues, but I've seen too many coders untaint such things extremely poorly.

<radiant.matrix>
A collection of thoughts and links from the minds of geeks
The Code that can be seen is not the true Code
I haven't found a problem yet that can't be solved by a well-placed trebuchet

Replies are listed 'Best First'.
Re^2: Ideas Wanted for Perl::Critic Security Policies
by davidrw (Prior) on Jul 01, 2006 at 00:40 UTC
    Using the 3-parameter form of open would be a good practice to check for.
     There's a InputOutput::ProhibitTwoArgOpen in the Perl::Critic distro already..

    The DBI one would be a 'challenge' :) .. not sure how it'd be possible to distinguish between $dbh->prepare("update table set my_val = $somevalue") (NOT OK) and $dbh->prepare("update $TABLENAME set my_val = ?") (OK) without actually parsing the sql .. plus there's the circumvention of $sql = "update table set my_val = $somevalue"; $sth=$dbh->prepare($sql); as well (or can you back-trace that w/PPI?)..

    I took a crack at the system/exec one (see RFC: Perl-Critic policy: ProhibitInlineSystemArgs), though i think there's problems catching all of those, too.. e.g. system( join(" ", $cmd, @args) )
[reply]
[d/l]
[select]

In Section Meditations