Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

Path Traversal Vulnerability

by Rishi2Monk (Novice)
on Dec 27, 2022 at 06:54 UTC ( [id://11149102]=perlquestion: print w/replies, xml ) Need Help??

Rishi2Monk has asked for the wisdom of the Perl Monks concerning the following question:

Checkmarx finds the below code is not safe says Path traversal vulnerable

Source:
        open(EXEC, "-|", "find $con_folder -name '*contribution.hygien
+e*' ");
        @contribution_hygiene_report_name = <EXEC>;
           :
           :

Destinamtion:
        open(EXEC, "-|", "echo \"$filename\n$contribution_preget_repor
+t_name[0]\n$contribution_hygiene_report_name[0]\n$concfile\n$rpt_path
+\n$concdir\n\" | uda_consolidate.pl 2 >> /dev/null");
        $report_file = <EXEC>;

[download]

Kindly help me with possible and best solution to fix these kind of issues

Replies are listed 'Best First'.
Re: Path Traversal Vulnerability
by haukex (Archbishop) on Dec 27, 2022 at 07:09 UTC

    Yes, the code isn't safe - see my node Calling External Commands More Safely.

    In the first case, I recommend using File::Find or File::Find::Rule instead of shelling out to find. In the second case, since you're apparently piping things to the command and from the command, I would suggest IPC::Run3 (assuming the input and output are not too big, as the module usually works via temporary files) - but it would also be worth looking into whether uda_consolidate.pl could be designed as a module callable directly from your script.

[reply]
[d/l]
[select]

      Thanks for your quick reply. Unfortunately, my current perl does not support either IPC::Run or IPC::Run3 and I could not install it as it needs access permissions. Can you please kindly let me know, if there is way to solve with open() or system()?

[reply]
[reply]

        In addition to what Corion said, I already answered that question. In the case of the find, File::Find is a core module. And in the case of the Perl script, you can modify it so that it is directly callable from your Perl script, or at the very least, you can modify it so that it supports input and output via files (if it doesn't already), that is very easy to do in Perl, then you can call it with a multi-argument system as I describe in the node I linked to.

[reply]
[d/l]
        A reply falls below the community's threshold of quality. You may see it by logging in.

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://11149102]
Approved by haukex
Front-paged by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others rifling through the Monastery: (2)
As of 2024-04-25 06:05 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found