Evaluating user-defined conditions

Iain C Docherty londonperlmongers at iandocherty.com
Tue Jun 10 09:05:46 BST 2014


If you want to be extra careful of user input you may want to look at
Docker. http://www.docker.com/

This should give you the highest level of security against user input.

We are using it to run users untrusted code.

- icydee


On 10 June 2014 08:20, Abigail <abigail at abigail.be> wrote:

> On Tue, Jun 10, 2014 at 07:10:30AM +0100, Andrew Beverley wrote:
> > On Mon, 2014-06-09 at 11:36 +0100, Andrew Beverley wrote:
> > > Dear all,
> > >
> > > I'd like to take a condition specified by a user and use it to perform
> a
> > > set of tests on a data set. Is there a module to do this?
> >
> > Thanks for all the replies.
> >
> > Indeed, I can't trust the user input, but nonetheless I wondered whether
> > I could still use eval, but heavily sanitise the input. It seems a lot
> > easier than than using a parser.
>
> Doubtful.
>
> > Can anyone see anything wrong with the following? The user-supplied
> > variables are specified in square brackets, e.g. "[age]"
> >
> >     # Sub in the variable values
> >     foreach my $var (@variables)
> >     {
> >         my $value = ... # Could be a string in quotes
> >         $code =~ s/\[$var\]/$value/gi;
> >     }
> >
> >     # Sanitise
> >     $_ = $code;
> >     return unless /^[ \S]+$/;               # Only allow normal spaces
> >     return if /[\[\]]+/;                    # No brackets should remain
> >     return if /\\/;                         # No escapes please
> >     s/"[^"]+"//g;                           # Remove quoted strings
> >     m!^([-()*+/0-9<> ]|&&|eq)+$! or return; # Allowed expression chars
>
>
> So, you excluding having any alpha char (except 'eq') in the resulting
> expression? Because that's what the last line does. Perhaps that's your
> intention, because I've no idea what $value is going to be, other than
> "it could be a string in quotes".
>
> Now, if you do allow for alpha characters to be present, you have to make
> sure things like "system qw xrm -rf foox" are filtered out. (As you can
> see,
> the "remove quoted strings" isn't much of a filter -- q, qq, qw, qx, qr,
> s, m,
> and y can take any delimiter).
>
>
>
> Abigail
>


More information about the london.pm mailing list