end0tknr's kipple - 新web写経開発

http://d.hatena.ne.jp/end0tknr/ から移転しました

ソースコード脆弱性静的検査ツール - RATS (Rough Auditing Tool for Security)

概要

http://www.ipa.go.jp/security/awareness/vendor/programmingv2/contents/c004.html
ipaのセキュアプログラミング講座で紹介されていたので、試してみました。

https://security.web.cern.ch/security/recommendations/en/codetools/rats.shtml
上記urlで紹介されている通り、perlに関しては危険な組込み関数を検知するようです。

「危険な組込み関数を検知」程度であれば、Perl::Critic で十分な気もしますが、とりあえず? 以下の通り


install

xml parserのexpatが、別途必要です

$ wget https://rough-auditing-tool-for-security.googlecode.com/files/rats-2.4.tgz
$ configure
$ make
$ make check
$ su
# make install

実行

$ cd /path/to/perl/proj/lib
$ rats --html . > ~/tmp/rats.html

↑このように実行すると、↓このようなhtmlが生成されます

Entries in perl database: 33
Entries in ruby database: 46
Entries in python database: 62
Entries in c database: 334
Entries in php database: 55
   :
Severity: High
Issue: connect
The second argument specifiying the packed address to bind to, should not be derived from user input. If the address is derived from user input, it is possible for a malicious user to cause the socket to connect to an arbitrary remote address, enabling hijacking of potentially sensitive network data. 
File: ./Xing/Model/AS400.pm
Lines: 134
File: ./Xing/DBI.pm
Lines: 14 31
Severity: Medium
Issue: open
The filename argument of open should be carefully checked if it is being created with any user-supplied string as a compontent of it. Strings should be checked for occurences of path backtracking/relative path components (../ as an example), or nulls, which may cause the underlying C call to interpret the filename to open differently than expected. It is also important to make sure that the final filename does not end in a "|", as this will cause the path to be executed. 
File: ./Xing/Template.pm
Lines: 58 684
File: ./Xing/Print/Juchuu.pm
  :