in reply to Re^2: Assessing the complexity of regular expressions
in thread Assessing the complexity of regular expressions

It's always good to be on the lookout for security issues. However, just whose code do you plan on using Perl::Critic to critique? Isn't the idea to get people who are already able to execute arbitrary code on your team's systems to think about what they are doing? I'm not sure I'd want to run any random code from out in the wild through any part of Perl::Critic or any other development tool without checking for nasty things like that first. Perhaps in the right context, this safety risk is totally acceptable. In what situation are you using Perl::Critic that this would be a serious problem?
  • Comment on Re^3: Assessing the complexity of regular expressions

Replies are listed 'Best First'.
Re^4: Assessing the complexity of regular expressions
by kyle (Abbot) on Jan 27, 2009 at 20:19 UTC

    There's a web service at http://perlcritic.com/ which will run Perl::Critic over code sent in from the web. I'm sure they'd like to keep that as safe as possible.

    There's a Perl::Critic::Dynamic distribution just for collecting policies that have to compile the code to run, but I suspect it doesn't get much use. The only policy in it is Perl::Critic::Policy::Dynamic::ValidateAgainstSymbolTable. If I wanted to score regular expressions using re as tilly suggests, it would have to go in with the (one) other dynamic policy, which doesn't seem desirable considering users who already expect that functionality in the core distribution.

[reply]

In Section Meditations