FindBin and Tainted

mikkoi has asked for the wisdom of the Perl Monks concerning the following question:

I have the following code:

use strict;
use warnings;
use FindBin 1.51 qw( $RealBin );
use lib "$RealBin/../lib";

use MyLib;
[download]

when I run it with Perl 5.28.1 as perl -T ./bin/perl-taint.pl I get the following error:

Insecure dependency in require while running with -T switch at ./bin/p
+erl-taint.pl line 7.
BEGIN failed--compilation aborted at ./bin/perl-taint.pl line 7.
[download]

FindBin operates in BEGIN section, so how - if possible - can I untaint the path?

Comment on FindBin and Tainted Select or Download Code

Replies are listed 'Best First'.
Re: FindBin and Tainted by kcott (Archbishop) on Aug 14, 2020 at 10:25 UTC
G'day mikkoi, You'll find a lot of information about taint mode in perlsec. In particular, for your problem, look at the "Laundering and Detecting Tainted Data" section. Here's a version of the regex solution, shown in that section, for your specific problem: `$ cat ../lib/MyLib.pm package MyLib; our $VERSION = '1.23'; 1; $ perl -T -e 'use FindBin 1.51 qw( $RealBin ); use lib "$RealBin/../li +b"; use MyLib; print $MyLib::VERSION;' Insecure dependency in require while running with -T switch at -e line + 1. BEGIN failed--compilation aborted at -e line 1. $ perl -T -e 'use FindBin 1.51 qw( $RealBin ); use lib @{["$RealBin/.. +/lib" =~ /^([\$\w\/.]+)$/ && $1]}; use MyLib; print $MyLib::VERSION;' 1.23` [download] Update (minor code improvement): Just after posting, I realised you don't actually need the ' `&& $1`' part: `$ perl -T -e 'use FindBin 1.51 qw( $RealBin ); use lib @{["$RealBin/.. +/lib" =~ /^([\$\w\/.]+)$/]}; use MyLib; print $MyLib::VERSION;' 1.23` [download] — Ken	[reply] [d/l] [select]
Re^2: FindBin and Tainted by mikkoi (Beadle) on Aug 14, 2020 at 22:44 UTC
The problem is that FindBin does its magic inside a BEGIN segment. Otherwise the variable wouldn't be useable in command `lib` which also operates within BEGIN segment.	[reply] [d/l]
Re: FindBin and Tainted by haj (Vicar) on Aug 14, 2020 at 10:36 UTC
You can apply the usual untainting mantra by also using a BEGIN section: `use strict; use warnings; use FindBin 1.51 qw( $RealBin ); BEGIN { ($RealBin) = $RealBin =~ /(.+)/; } use lib "$RealBin/../lib"; use MyLib;` [download] Of course, you need to trust your installation to not mess with the current working directory (because this is why `$RealBin` comes out tainted in the first place).	[reply] [d/l]
Re^2: FindBin and Tainted by mikkoi (Beadle) on Aug 14, 2020 at 23:57 UTC
This works. But is there any way to do the same without using the same $RealBin variable (which belongs to FindBin)?	[reply]
Re^3: FindBin and Tainted by haj (Vicar) on Aug 15, 2020 at 08:55 UTC
Sure, you can use a copy, to be declared outside of the `BEGIN` block: `use strict; use warnings; use FindBin 1.51 qw( $RealBin ); my $untainted_bin; BEGIN { ($untainted_bin) = $RealBin =~ /(.+)/; } use lib "$untainted_bin/../lib"; use MyLib;` [download]	[reply] [d/l]
Re^4: FindBin and Tainted by mikkoi (Beadle) on Aug 15, 2020 at 20:18 UTC


Syntactic Confectionery Delight
	PerlMonks