Perl provides several functions for list manipulation. For instance, the map()
function takes an expression or block, applies it to each element in a list, and returns the list of mapped elements. If it is given a block, the block is executed with $_
assigned to each element of the list in turn. The perlfunc manpage adds:
Note that
$_
is an alias to the list value, so it can be used to modify the elements of the LIST. While this is useful and supported, it can cause bizarre results if the elements of LIST are not variables. Using a regular "foreach" loop for this purpose would be clearer in most cases.
...
Code Block | ||||
---|---|---|---|---|
| ||||
open( PASSWD, "<", "/etc/passwd"); or croak "error opening /etc/passwd: stopped" my @users = <PASSWD>; my @shell_users = grep +(s|/bin/sh||), @users; foreach my $user (@shell_users) { print "Shell User: $user"; } |
However, because the grep()
block removes /bin/sh
from any input line that contains it, it modifies the @users
list so that no user has /bin/sh
!
Compliant Solution (grep()
)
This compliant solution does the same thing but does not modify the the @users
array array.
Code Block | ||||
---|---|---|---|---|
| ||||
open( PASSWD, "<", "/etc/passwd"); or croak "error opening /etc/passwd: stopped" my @users = <PASSWD>; my @shell_users = grep +(m|/bin/sh|), @users; foreach my $user (@shell_users) { $user =~= s|/bin/sh||; print "Shell User: $user"; } |
...
Compliant Solution (apply()
)
This compliant solution does the same thing but uses List::MoreUtils::apply()
, which guarantees not to modify its input list.
Code Block | ||||
---|---|---|---|---|
| ||||
open( PASSWD, "<", "/etc/passwd") or croak "error opening /etc/passwd: stopped"
my @users = <PASSWD>;
my @shell_users = List::MoreUtils::apply { s|/bin/sh|| } @users;
foreach my $user (@shell_users) {
print "Shell User: $user";
}
|
Risk Assessment
Failure to handle error codes or other values returned by functions can lead to incorrect program flow and violations of data integrity.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
EXP34-PL | medium Medium | likely Likely | low Low | P6 P18 | L2 L1 |
Automated Detection
Tool | Diagnostic |
---|---|
Perl::Critic | ControlStructures::ProhibitMutatingListFunctions |
Bibliography
...
...
[Conway 2005] | "List Processing Side Effects," p. 114 |
---|---|
[CPAN] | Bar, Graham. List::Utils |
[CPAN] | Kennedy, Adam. List::MoreUtils |
[Wall 2011] | perlfunc |
...
05|AA. Bibliography#Conway 05]\] pg. 114, "List Processing Side Effects" \[[Wall 2011|AA. Bibliography#Manpages]\] [perlfunc|http://perldoc.perl.org/perlfunc.html] \[[CPAN|AA. Bibliography#CPAN]\] Bar, Graham. [List::Utils|http://search.cpan.org/~gbarr/Scalar-List-Utils-1.23/lib/List/Util.pm] \[[CPAN|AA. Bibliography#CPAN]\] Kennedy, Adam [List::MoreUtils|http://search.cpan.org/~adamk/List-MoreUtils-0.33/lib/List/MoreUtils.pm]EXP11-C. Do not apply operators expecting one type to data of an incompatible type 03. Expressions (EXP) EXP13-C. Treat relational and equality operators as if they were nonassociative