SEI CERT Perl Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 14

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 15

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added a taint-mode CS

...

Code Block
bgColor#ffcccc
langperl
use DBI;
    
my $dbfile = "users.db";
my $dbh = DBI->connect("dbi:SQLite:dbname=$dbfile","","")
  or die "Couldn't connect to database: " . DBI->errstr;
sub hash {
  # hash the password
}
  
print "Enter your id: ";
my $userid = <STDIN>;
chomp $userid;
print "Enter your password: ";
my $password = <STDIN>;
chomp $password;
my $hashed_password = hash( $password);

my $sth = $dbh->prepare("SELECT * FROM Users WHERE userid = '$userid' AND password = '$hashed_password'")
  or die "Couldn't prepare statement: " . $dbh->errstr;
$sth->execute()
  or die "Couldn't execute statement: " . $sth->errstr;
  
if (my @data = $sth->fetchrow_array()) {
  my $username = $data[1];
  my $id = $data[2];
  print "Access granted to user: $username ($userid)\n";
}
  
if ($sth->rows == 0) {
  print "Invalid username / password. Access denied\n";
}
 
$sth->finish;
$dbh->disconnect;

Compliant Solution (Taint Mode)

One way to find potential injection points quickly is to use Perl's taint mode.

Code Block
bgColor#ffcccc
langperl
# ... beginning of code 

my $dbh = DBI->connect("dbi:SQLite:dbname=$dbfile","","")
  or die "Couldn't connect to database: " . DBI->errstr;
$dbh->{TaintIn} = 1;

# ... rest of ocde

Perl will refuse to permit tainted data from entering the database via the prepare() method call. It will immediately exit with an error message:

Code Block
Insecure dependency in parameter 1 of DBI::db=HASH(0x17e4100)->prepare method call while running with -T switch at pl.pl line 29, <STDIN> line 2.

Note that not only must the program be run in taint mode, but the TaintIn attribute must be set on the connection handle, enabling taint checks to be run on the database.

Compliant Solution (prepared statement)

Fortunately, Perl's DBI library provides an API for building SQL commands that sanitize untrusted data. The prepare() method properly escapes input strings, preventing SQL injection when used properly. This is an example of component-based sanitization.

...

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

IDS33-PL

high

likely

high

P9

L2

Automated Detection

Tool

Diagnostic

Tainted Mode

Insecure dependency in parameter \d* of DBI::db=.* method call

Related Guidelines

The CERT Oracle Secure Coding Standard for JavaIDS00-J. Sanitize untrusted data passed across a trust boundary

CERT C Secure Coding Standard

STR02-C. Sanitize data passed to complex subsystems

CERT C++ Secure Coding Standard

STR02-CPP. Sanitize data passed to complex subsystems

...