Evaluating user-defined conditions
Iain C Docherty
londonperlmongers at iandocherty.com
Tue Jun 10 09:05:46 BST 2014
If you want to be extra careful of user input you may want to look at
Docker. http://www.docker.com/
This should give you the highest level of security against user input.
We are using it to run users untrusted code.
- icydee
On 10 June 2014 08:20, Abigail <abigail at abigail.be> wrote:
> On Tue, Jun 10, 2014 at 07:10:30AM +0100, Andrew Beverley wrote:
> > On Mon, 2014-06-09 at 11:36 +0100, Andrew Beverley wrote:
> > > Dear all,
> > >
> > > I'd like to take a condition specified by a user and use it to perform
> a
> > > set of tests on a data set. Is there a module to do this?
> >
> > Thanks for all the replies.
> >
> > Indeed, I can't trust the user input, but nonetheless I wondered whether
> > I could still use eval, but heavily sanitise the input. It seems a lot
> > easier than than using a parser.
>
> Doubtful.
>
> > Can anyone see anything wrong with the following? The user-supplied
> > variables are specified in square brackets, e.g. "[age]"
> >
> > # Sub in the variable values
> > foreach my $var (@variables)
> > {
> > my $value = ... # Could be a string in quotes
> > $code =~ s/\[$var\]/$value/gi;
> > }
> >
> > # Sanitise
> > $_ = $code;
> > return unless /^[ \S]+$/; # Only allow normal spaces
> > return if /[\[\]]+/; # No brackets should remain
> > return if /\\/; # No escapes please
> > s/"[^"]+"//g; # Remove quoted strings
> > m!^([-()*+/0-9<> ]|&&|eq)+$! or return; # Allowed expression chars
>
>
> So, you excluding having any alpha char (except 'eq') in the resulting
> expression? Because that's what the last line does. Perhaps that's your
> intention, because I've no idea what $value is going to be, other than
> "it could be a string in quotes".
>
> Now, if you do allow for alpha characters to be present, you have to make
> sure things like "system qw xrm -rf foox" are filtered out. (As you can
> see,
> the "remove quoted strings" isn't much of a filter -- q, qq, qw, qx, qr,
> s, m,
> and y can take any delimiter).
>
>
>
> Abigail
>
More information about the london.pm
mailing list