add perlcritic module to disallow system/exec
This commit is contained in:
Jörg Thalheim
@@ -5,3 +5,6 @@ severity = 1
|
||||
|
||||
# Disallow backticks - use IPC::Run3 instead for better security
|
||||
include = InputOutput::ProhibitBacktickOperators
|
||||
|
||||
# Prohibit shell-invoking system() and exec() - use list form or IPC::Run3 instead
|
||||
include = Hydra::ProhibitShellInvokingSystemCalls
|
||||
|
||||
@@ -0,0 +1,103 @@
|
||||
package Perl::Critic::Policy::Hydra::ProhibitShellInvokingSystemCalls;
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
use constant;
|
||||
|
||||
use Perl::Critic::Utils qw{ :severities :classification :ppi };
|
||||
use base 'Perl::Critic::Policy';
|
||||
|
||||
our $VERSION = '1.000';
|
||||
|
||||
use constant DESC => q{Shell-invoking system calls are prohibited};
|
||||
use constant EXPL => q{Use list form system() or IPC::Run3 for better security. String form invokes shell and is vulnerable to injection};
|
||||
|
||||
sub supported_parameters { return () }
|
||||
sub default_severity { return $SEVERITY_HIGHEST }
|
||||
sub default_themes { return qw( hydra security ) }
|
||||
sub applies_to { return 'PPI::Token::Word' }
|
||||
|
||||
sub violates {
|
||||
my ( $self, $elem, undef ) = @_;
|
||||
|
||||
# Only check system() and exec() calls
|
||||
return () unless $elem->content() =~ /^(system|exec)$/;
|
||||
return () unless is_function_call($elem);
|
||||
|
||||
# Skip method calls (->system or ->exec)
|
||||
my $prev = $elem->sprevious_sibling();
|
||||
return () if $prev && $prev->isa('PPI::Token::Operator') && $prev->content() eq '->';
|
||||
|
||||
# Get first argument after function name, skipping whitespace
|
||||
my $args = $elem->snext_sibling();
|
||||
return () unless $args;
|
||||
$args = $args->snext_sibling() while $args && $args->isa('PPI::Token::Whitespace');
|
||||
|
||||
# For parenthesized calls, look inside
|
||||
my $search_elem = $args;
|
||||
if ($args && $args->isa('PPI::Structure::List')) {
|
||||
$search_elem = $args->schild(0);
|
||||
return () unless $search_elem;
|
||||
}
|
||||
|
||||
# Check if it's list form (has comma)
|
||||
my $current = $search_elem;
|
||||
if ($current && $current->isa('PPI::Statement')) {
|
||||
# Look through statement children
|
||||
for my $child ($current->schildren()) {
|
||||
return () if $child->isa('PPI::Token::Operator') && $child->content() eq ',';
|
||||
}
|
||||
} else {
|
||||
# Look through siblings for non-parenthesized calls
|
||||
while ($current) {
|
||||
return () if $current->isa('PPI::Token::Operator') && $current->content() eq ',';
|
||||
last if $current->isa('PPI::Token::Structure') && $current->content() eq ';';
|
||||
$current = $current->snext_sibling();
|
||||
}
|
||||
}
|
||||
|
||||
# Check if first arg is array variable
|
||||
my $first = $search_elem->isa('PPI::Statement') ?
|
||||
$search_elem->schild(0) : $search_elem;
|
||||
return () if $first && $first->isa('PPI::Token::Symbol') && $first->content() =~ /^[@]/;
|
||||
|
||||
# Check if it's a safe single-word command
|
||||
if ($first && $first->isa('PPI::Token::Quote')) {
|
||||
my $content = $first->string();
|
||||
return () if $content =~ /^[a-zA-Z0-9_\-\.\/]+$/;
|
||||
}
|
||||
|
||||
return $self->violation( DESC, EXPL, $elem );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
__END__
|
||||
|
||||
=pod
|
||||
|
||||
=head1 NAME
|
||||
|
||||
Perl::Critic::Policy::Hydra::ProhibitShellInvokingSystemCalls - Prohibit shell-invoking system() and exec() calls
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
This policy prohibits the use of C<system()> and C<exec()> functions when called with a single string argument,
|
||||
which invokes the shell and is vulnerable to injection attacks.
|
||||
|
||||
The list form (e.g., C<system('ls', '-la')>) is allowed as it executes directly without shell interpretation.
|
||||
For better error handling and output capture, consider using C<IPC::Run3>.
|
||||
|
||||
=head1 CONFIGURATION
|
||||
|
||||
This Policy is not configurable except for the standard options.
|
||||
|
||||
=head1 AUTHOR
|
||||
|
||||
Hydra Development Team
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright (c) 2025 Hydra Development Team. All rights reserved.
|
||||
|
||||
=cut
|
||||
@@ -10,4 +10,7 @@ my $dirname = abs_path(dirname(__FILE__) . "/..");
|
||||
print STDERR "Executing perlcritic against $dirname\n";
|
||||
chdir($dirname) or die "Failed to enter $dirname\n";
|
||||
|
||||
# Add src/lib to PERL5LIB so perlcritic can find our custom policies
|
||||
$ENV{PERL5LIB} = "src/lib" . ($ENV{PERL5LIB} ? ":$ENV{PERL5LIB}" : "");
|
||||
|
||||
exec("perlcritic", ".") or die "Failed to execute perlcritic.";
|
||||
|
||||
Reference in New Issue
Block a user