8

I wrote my own little Perl debugger that prints for each executed line, the current file name and the corresponding line number. How can I detect if the current Perl statement contains tainted data?

I know there is a function "tainted" from the module Scalar::Util. However it only accept a variable name as parameter, not a Perl statement.

I have attached Taint to a lexical variable to trace it. If I am able to see if a statement is tainted or not, I can only print those lines that contains my tainted variable. Here is my custom taint script:

Taint.pl 

use strict; 
use warnings; 

use Taint::Runtime qw(taint_start taint); 
taint_start(); 

my $data = taint("abc"); --> interesting 
my $noise = "noise"; --> not interesting 
my $evil = $data . " evil"; --> interesting

Debugger.pl

sub DB::DB{

    my($package, $filename, $line) = caller;

    print $filename . ":" . $line . " ";
    scalar <STDIN>;

}

1;
Silence
  • 156
  • 4
  • 2
    Catch exception with eval()? – mpapec Jan 10 '16 at 13:50
  • I have found this code which uses eval to catch the exception, but I don't know how to pass a Perl statement to it. local $@; return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 }; – Silence Jan 10 '16 at 13:55
  • What exactly do you want to test, and why you can't use a variable at it? – mpapec Jan 10 '16 at 14:06
  • My main goal is to step through a program and only display Perl statements that contain tainted data. – Silence Jan 10 '16 at 14:09
  • I have attached Taint to a lexical variable to trace it. If I am able to see if a statement is tainted or not, I can only print those lines that contains my tainted variable. Here is my custom Taint script: use strict; use warnings; use Taint::Runtime qw(taint_start taint); taint_start(); my $data = taint("abc"); --> interesting my $noise = "noise"; --> not interesting my $evil = $data . " evil"; --> interesting – Silence Jan 10 '16 at 15:30
  • 3
    You should add that information to your question. Use the [edit] link to do that. – simbabque Jan 10 '16 at 16:35
  • I agree, I have updated my question with my custom taint script now. – Silence Jan 10 '16 at 16:40

1 Answers1

1

As described in the POD Documentation for Taint::Runtime there is a sub called is_tainted that will return true if you pass it a tainted value and false otherwise.

You'll want to change your relevant use line to import that function:

use Taint::Runtime qw(taint_start taint is_tainted);

In your example Taint.pl script, once this is done, is_tainted($data) would evaluate to true, is_tainted($noise) would be false, and is_tainted($evil) would be true.

If you have a more complex expression to check for taintedness, simply evaluate it into a scalar and if any inputs to that evaluation were tainted, the expression and thus the scalar will also be considered tainted. Checking if that scalar is tainted is equivalent to checking the expression. If the expression produces a list value, something like join will fit it into a scalar well enough to detect taint.

codehearted
  • 174
  • 1
  • 9