概要
http://www.ipa.go.jp/security/awareness/vendor/programmingv2/contents/c004.html
ipaのセキュアプログラミング講座で紹介されていたので、試してみました。
https://security.web.cern.ch/security/recommendations/en/codetools/rats.shtml
上記urlで紹介されている通り、perlに関しては危険な組込み関数を検知するようです。
「危険な組込み関数を検知」程度であれば、Perl::Critic で十分な気もしますが、とりあえず? 以下の通り
install
xml parserのexpatが、別途必要です
$ wget https://rough-auditing-tool-for-security.googlecode.com/files/rats-2.4.tgz $ configure $ make $ make check $ su # make install
実行
$ cd /path/to/perl/proj/lib $ rats --html . > ~/tmp/rats.html
↑このように実行すると、↓このようなhtmlが生成されます
Entries in perl database: 33 Entries in ruby database: 46 Entries in python database: 62 Entries in c database: 334 Entries in php database: 55 : Severity: High Issue: connect The second argument specifiying the packed address to bind to, should not be derived from user input. If the address is derived from user input, it is possible for a malicious user to cause the socket to connect to an arbitrary remote address, enabling hijacking of potentially sensitive network data. File: ./Xing/Model/AS400.pm Lines: 134 File: ./Xing/DBI.pm Lines: 14 31 Severity: Medium Issue: open The filename argument of open should be carefully checked if it is being created with any user-supplied string as a compontent of it. Strings should be checked for occurences of path backtracking/relative path components (../ as an example), or nulls, which may cause the underlying C call to interpret the filename to open differently than expected. It is also important to make sure that the final filename does not end in a "|", as this will cause the path to be executed. File: ./Xing/Template.pm Lines: 58 684 File: ./Xing/Print/Juchuu.pm :