Re: Validating Regular Expression

Eval is great for getting perl to tell you if something is technically legal or not. But I have a concern.

The task is a little more complex than that. You will have to prevent the (?{code}) construct from finding its way into your user's input, lest they manage to inject some unsavory tidbit into your system. That's just the start. Will your users have the ability to input RE's that are expressed in /x terms? (In other words, where whitespace is not relevant.) They could always use (?x:.....), or any of the other legal options to sort of control the RE's destiny, possibly in a way that you weren't intending. I think that the greater task is not in validating the RE's viability, so much as evaluating its security risk.

As for validating its viability, eval isn't such a bad tool. You would be able to let perl tell you if there's a problem. But perl cannot know if there's a security breech.

I don't know all the possible risks that you should test for. But at minimum disallowing code blocks would be a start.

Dave

Comment on Re: Validating Regular Expression Select or Download Code

Replies are listed 'Best First'.
Re^2: Validating Regular Expression by ikegami (Patriarch) on Feb 15, 2011 at 17:46 UTC
As mentioned, patterns that execute arbitrary code are disabled by default when interpolating. There is one thing to keep in mind though: It's easy to construct a pattern that will take longer than the life of the universe to (fail to) match.	[reply]
Re^2: Validating Regular Expression by kennethk (Abbot) on Feb 15, 2011 at 16:42 UTC
I could just be timid, but I would not trust myself to filter this type of input from an untrusted source. Nefarious people are sometimes smarter than me and always have more time and motivation, so I would not put this tool anywhere they could use it to elevate permissions. Sure you could swap my routine above to `sub validate{ my $pat = shift; return if $pat =~ /\(\?{1,2}\{/; return eval{qr/$pat/}; }` [download] to filter out code evaluation and pattern code expressions (A bit of magic: executing Perl code in a regular expression), but I'm sure I'd miss some clever escape or exploit of the regex engine. This is the sort of thing where the feature is not worth the effort to secure it properly.	[reply] [d/l]
Re^3: Validating Regular Expression by Anonymous Monk on Feb 15, 2011 at 17:54 UTC
Hi, I'm not too worried about them trying to attack using this. It's their own PC it's running on! Would be a pain if it was a web application or similar but this is just a local Tk app. If they can escalate privileges in any way then that's a fault in the OS or the IT setup. Either way, Not My Problem (Tm)!! Graham	[reply]
Re^2: Validating Regular Expression by JavaFan (Canon) on Feb 15, 2011 at 16:53 UTC
You will have to prevent the (?{code}) construct from finding its way into your user's input, lest they manage to inject some unsavory tidbit into your system. That's not more complicated than not typing `use re 'eval';`. That is, by default, Perl doesn't honour `(?{code})` constructs in interpolated code.	[reply] [d/l] [select]
Re^2: Validating Regular Expression by Anonymous Monk on Feb 15, 2011 at 16:37 UTC
Hi, Thanks for the answers. I'm not too worried about security, it's a real application running on the users on PC (Tk GUI). Only thing the user's going to be able to break is their own PC, that's between them and their IT guys!! If it was for a website or similar public access I'd be more concerned. Graham	[reply]