File Coverage

blib/lib/Env/Sanctify/Auto.pm

Criterion	Covered	Total	%
statement	24	24	100.0
branch	8	8	100.0
condition	3	3	100.0
subroutine	6	6	100.0
pod	1	1	100.0
total	42	42	100.0

line	stmt	bran	cond	sub	pod	time	code
1							# Env::Sanctify::Auto
2							# Automatically cleans up your environment to prevent security issues.
3							#
4							# $Id: Auto.pm 8622 2009-08-18 04:46:41Z FREQUENCY@cpan.org $
5
6							package Env::Sanctify::Auto;
7
8	4			4		123622	use strict;
	4					11
	4					148
9	4			4		26	use warnings;
	4					9
	4					114
10	4			4		24	use Carp ();
	4					8
	4					105
11
12	4			4		26	use base 'Env::Sanctify';
	4					9
	4					3668
13
14							=head1 NAME
15
16							Env::Sanctify::Auto - Perl module that cleans up %ENV
17
18							=head1 VERSION
19
20							Version 1.001 ($Id: Auto.pm 8622 2009-08-18 04:46:41Z FREQUENCY@cpan.org $)
21
22							=cut
23
24							our $VERSION = '1.001';
25							$VERSION = eval $VERSION;
26
27							=head1 DESCRIPTION
28
29							Environment variables such as B (command search path) and B (input
30							field separator) can have severe security ramifications. Luckily, enabling
31							Perl's taint mode will provide some extra checking whenever there can be
32							potentially unsafe calls to functions like B or B.
33
34							However, there has been no simple way to load a module which automatically
35							cleans up your environment. Various methods are used to temporarily clean up
36							the environment for you or forked children, such as:
37
38							local $ENV{PATH} = '/usr/bin:/usr/local/bin';
39
40							While this works for most purposes, it has some potential issues such as what
41							to do when the paths are different under different architectures. Obviously
42							such a command is not portable to environments with different path conventions
43							so this would break your program's compatibility with Win32, among others.
44
45							This simple module subclasses B to take care of this for you.
46							Among other things, this means you get the nice bonus of lexically scoped
47							environments (see L for details).
48
49							=head1 SYNOPSIS
50
51							my $env = Env::Sanctify::Auto->new();
52							# do some stuff, fork some processes, etc.
53							$env->restore; # everything is back to normal.
54
55							=head1 COMPATIBILITY
56
57							This module was tested under Perl 5.10.0, using Debian Linux. However, because
58							it's Pure Perl and doesn't do anything too obscure, it should be compatible
59							with any version of Perl that supports its prerequisite modules.
60
61							It is untested on Win32 and unlikely to work for the time being.
62
63							If you encounter any problems on a different version or architecture, please
64							contact the maintainer.
65
66							=head1 ENVIRONMENT VARIABLES
67
68							This module knows about the following environment variables:
69
70							=head2 PATH
71
72							B provides a list of paths to search for executables, which influences
73							which commands are invoked by unqualified calls to system() and others. This
74							variable is particularly dangerous because even if you use a fully qualified
75							call to the executable, like "/usr/bin/echo ..." -- there is still a security
76							hole, since B could be executing unqualified code itself.
77
78							The safest way to handle this, and the strategy used by this module, is to
79							remove everything except C and C (or equivalent,
80							depending on your operating system).
81
82							=head2 CDPATH
83
84							B provides additional paths for B to search on the system when it
85							is called. This is dangerous because you could be attempting to change into
86							a known safe directory, but the CDPATH may divert you to another directory.
87							The variable is generally of limited usefulness, and so is removed completely
88							during C<%ENV> scrubbing.
89
90							=head2 IFS
91
92							B is the Internal Field Separator, which tells the operating system
93							what characters should be considered whitespace separating command line
94							arguments. Combined with controlling B, this exposes a very dangerous
95							vulnerability: if the IFS is set to '/', then C is
96							essentially the same as C. As a result, the 'bin' command
97							is executed instead of '/bin/more' as expected.
98
99							=head2 ENV and BASH_ENV
100
101							B and B list files that are executed whenever a new shell is
102							started, which includes whenever a shell script (.sh) is run.
103
104							=head1 METHODS
105
106							=head2 Env::Sanctify::Auto->new($opts)
107
108							=head2 Env::Sanctify::Auto->sanctify($opts)
109
110							Creates a new C object, scrubbing the environment to
111							remove or pacify potentially dangerous variables. Options may be passed as
112							a hash reference to the constructor.
113
114							Code example:
115
116							my $env = Env::Sanctify::Auto->new;
117
118							By default, PATH will be set to a sane value, but you can override the
119							behaviour by passing the 'path' option:
120
121							my $env = Env::Sanctify::Auto->new({
122							path => '/usr/local/bin:/usr/bin'
123							});
124
125							=cut
126
127							sub new {
128	7			7	1	4456	my ($class, $opts) = @_;
129
130	7	100				260	Carp::croak('You must call this as a class method') if ref($class);
131
132	6	100	100			182	Carp::croak('Options must be given as a hash reference')
133							if (defined $opts && ref($opts) ne 'HASH');
134
135	5					10	my $path;
136	5	100				23	if ($opts->{path}) {
137	1					3	$path = $opts->{path};
138							}
139							else {
140	4					13	$path = _secure_path();
141							}
142
143							# Construct the Env::Sanctify (superclass) base
144	5					51	my $self = Env::Sanctify->sanctify(
145							env => {
146							PATH => $path,
147							},
148							sanctify => [
149							'CDPATH', # cd search path
150							'IFS', # Internal field separator
151							'ENV',
152							'BASH_ENV',
153							]
154							);
155
156							# Re-bless this into our package
157	5					1401	return bless($self, $class);
158							}
159							sanctify = new;
160
161							# Private utility functions
162							sub _secure_path {
163							# Return a PATH specific to the platform we're running on
164	4	100		4		24	if ($^O eq 'MSWin32') {
165	1					4	return '%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem';
166							}
167
168							# Assume everything else is Unix-like
169	3					12	return '/usr/bin:/usr/bin/local';
170							}
171
172							=head1 AUTHOR
173
174							Jonathan Yu Efrequency@cpan.orgE
175
176							=head2 CONTRIBUTORS
177
178							Your name here ;-)
179
180							=head1 ACKNOWLEDGEMENTS
181
182							=over
183
184							=item * Thanks to Chris "BinGOs" Williams for
185							making L, a pretty neat module that inspired this one.
186
187							=back
188
189							=head1 SUPPORT
190
191							You can find documentation for this module with the perldoc command.
192
193							perldoc Env::Sanctify::Auto
194
195							You can also look for information at:
196
197							=over
198
199							=item * AnnoCPAN: Annotated CPAN documentation
200
201							L
202
203							=item * CPAN Ratings
204
205							L
206
207							=item * Search CPAN
208
209							L
210
211							=item * CPAN Request Tracker
212
213							L
214
215							=item * CPAN Testing Service (Kwalitee Tests)
216
217							L
218
219							=back
220
221							=head1 REPOSITORY
222
223							You can access the most recent development version of this module at:
224
225							L
226
227							If you are a CPAN developer and would like to make modifications to the
228							code base, please contact Adam Kennedy Eadamk@cpan.orgE, the
229							repository administrator. I only ask that you contact me first to discuss
230							the changes you wish to make to the distribution.
231
232							=head1 FEEDBACK
233
234							Please send relevant comments, rotten tomatoes and suggestions directly to
235							the maintainer noted above.
236
237							If you have a bug report or feature request, please file them on the CPAN
238							Request Tracker at L. If you are able to submit your
239							bug report in the form of failing unit tests, you are B encouraged
240							to do so.
241
242							=head1 SEE ALSO
243
244							L, the module upon which this one is based.
245
246							L, a Perl Monks thread discussing
247							why IFS, CDPATH, ENV and BASH_ENV are considered dangerous
248
249							L, a document explaining security considerations for Perl programs.
250
251							=head1 CAVEATS
252
253							=head2 KNOWN BUGS
254
255							There are no known bugs as of this release.
256
257							=head2 LIMITATIONS
258
259							=over
260
261							=item *
262
263							There are lots of variables that can do dangerous things, particularly when
264							executing files via C or others. This module tries to fix the most
265							common ones, but is by no means a complete way to sanctify your namespace,
266							and is not a substitute for performing your own security audit.
267
268							=item *
269
270							I'm not a security expert, so more than likely I've missed something.
271							Please do file bug reports so that I can fix the module.
272
273							=item *
274
275							I don't have access to a VMS machine, nor do I know how they work, so there
276							is currently nothing here to deal with that. If you have a OpenVMS machine
277							or know how they work, feel free to send me an e-mail or patch.
278
279							=back
280
281							=head1 QUALITY ASSURANCE METRICS
282
283							=head2 TEST COVERAGE
284
285							------------------------- ------ ------ ------ ------ ------ ------
286							File stmt bran cond sub pod total
287							------------------------- ------ ------ ------ ------ ------ ------
288							Env/Sanctify/Auto.pm 100.0 100.0 100.0 100.0 100.0 100.0
289
290							=head1 LICENSE
291
292							Copyright (C) 2009 by Jonathan Yu
293
294							This package is distributed under the same terms as Perl itself. Please
295							see the LICENSE file included in this distribution for full details of
296							these terms.
297
298							=head1 DISCLAIMER OF WARRANTY
299
300							This software is provided by the copyright holders and contributors "AS IS"
301							and ANY EXPRESS OR IMPLIED WARRANTIES, including, but not limited to, the
302							IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
303							ARE DISCLAIMED.
304
305							In no event shall the copyright owner or contributors be liable for any
306							direct, indirect, incidental, special, exemplary or consequential damages
307							(including, but not limited to, procurement of substitute goods or services;
308							loss of use, data or profits; or business interruption) however caused and
309							on any theory of liability, whether in contract, strict liability or tort
310							(including negligence or otherwise) arising in any way out of the use of
311							this software, even if advised of the possibility of such damage.
312
313							=cut
314
315							1;