Code Evaluation (Perl)
Description
This vulnerability allows attackers to inject and execute arbitrary Perl code on the server. It occurs when user-controlled input is passed directly or indirectly to Perl's eval() function without proper validation or sanitization. The eval() function treats its argument as executable Perl code, making any unsanitized user input a potential attack vector for remote code execution.
Remediation
Eliminate the use of eval() on user-controlled input. If dynamic code execution is absolutely necessary, implement the following controls:
1. Use Safe Alternatives: Replace eval() with safer alternatives that don't execute arbitrary code. For example, use hash lookups or switch statements for dynamic function calls.
2. Input Validation: If eval() cannot be avoided, implement strict allowlisting of permitted values:
my %allowed_operations = (
'add' => sub { $a + $b },
'subtract' => sub { $a - $b }
);
if (exists $allowed_operations{$user_input}) {
$result = $allowed_operations{$user_input}->();
}3. Use Taint Mode: Run Perl scripts with the
-T flag to enable taint checking, which helps identify unsafe data flows.4. Sanitization (Last Resort): If dynamic evaluation is unavoidable, use the Safe module to create a restricted compartment with limited operations and no access to dangerous functions.