| 148 | |
| 149 | === Tainted mode warnings (Insecure dependency...) === |
| 150 | |
| 151 | These messages indicate that you have clearly insecure hooks running, and that a fix is needed. AII runs in "tainted" mode, meaning that all input must be sanitized. On user hooks you'll usually find warnings when attempting to open a file that is given on the profile or when running a command, for instance: |
| 152 | |
| 153 | {{{ |
| 154 | my $filename = $config->getElement (SOME_PATH)->getValue (); |
| 155 | open (FH, ">$filename"); |
| 156 | }}} |
| 157 | |
| 158 | will issue a warning, meaning that $filename must be sanitized. This a sanitized version: |
| 159 | |
| 160 | {{{ |
| 161 | my $filename = $config->getElement (SOME_PATH)->getValue (); |
| 162 | if ($filename =~ m{^(/.+)$}) { |
| 163 | $filename = $1; |
| 164 | } else { |
| 165 | throw_error ("Expected an absolute path on $filename"); |
| 166 | return (); |
| 167 | } |
| 168 | open (FH, ">$filename"); |
| 169 | }}} |
| 170 | |
| 171 | Note that the above example assumes you expect an absolute path. If you expected something different (f.i, a path under /osinstall/ks), fix your regular expression accordingly. |
| 172 | |
| 173 | The same applies when you run commands: |
| 174 | |
| 175 | {{{ |
| 176 | my $param = $config->getElement (SOME_OTHER_PATH)->getValue (); |
| 177 | # $param is tainted!!! |
| 178 | system ("ls", "$param"); |
| 179 | }}} |
| 180 | |
| 181 | will fail, so you'll have to specify what you are expecting exactly: |
| 182 | |
| 183 | {{{ |
| 184 | my $param = $config->getElement (SOME_OTHER_PATH)->getValue (); |
| 185 | # I expected just a bunch of flags!! |
| 186 | if ($param =~ m{^(-[-=\w]+)$}) { |
| 187 | $param = $1; |
| 188 | } else { |
| 189 | throw_error ("Unexpected flags passed to the command"); |
| 190 | return (); |
| 191 | } |
| 192 | system ("ls", $param); |
| 193 | }}} |
| 194 | |
| 195 | When you get a warning, it will point out the line where the insecure data is used, but please fix it on the place where such insecure data is received. It will reduce a lot your code and efforts. |
| 196 | |
| 197 | You'll find more information on the tainted mode on {{{perlsec}}} man page. |