Denying Opcode `:filesys_open` Doesn't Prevent "|-" and "-|" Pipes

[DabeDotCom]

Module: ops / Opcode / Safe

Description

I'm sure this has to be a known deficiency, but I was trying to figure out if I could allow an app to accept untrusted data but not do TOO much damage, when I was surprised/disappointed to discover that perl -Mops=":default,open" still allowed me to open my $FH, "|-" => "shell command" — even though :subprocess was still denied!

(Most users, myself included, don't immediately grasp the distinction between parse/compile-time opcodes and underlying system calls (man 2) and C library functions (man 3); heck, very few people even understand / care about the distinction between man 2 and man 3, haha!)

Anyway, I'm guessing that, if there were an easy fix, not only would "|-" and "-|" be treated differently, but so would > and >>, etc. (By which I mean, it can permit/deny the open keyword wholesale, but not, for example, permit individual "open for reading" operations and deny "open for writing" requests — short of defining open_r, open_w, and open_x-type opcodes, which may or may not be known at compile time, and so on.)

Probably my best suggestion, therefore, would be to add a warning to the :filesys_open or :filesys_write sections of perldoc Opcode, making sure people realize that just because you deny :filesys_write doesn't mean you're actually preventing all write-access to the filesystem... «shrug» I'd be happy to write a PR with such a paragraph, if you want.

Steps to Reproduce

As expected, calling open() with only -Mops=:default dies correctly: (The crazy redirection and whatnot is so I can limit the reduce the list of permitted ops to a bare minimum)

prompt% perl -Mops=:default<( echo 'open my $TOUCH, "-|", "touch", "/tmp/touched" or die' ) && ls -l /tmp/touched
'open' trapped by operation mask at /dev/fd/63 line 1.

Whereas adding open makes it execute the touch command:

prompt% perl -Mops=:default,open <( echo 'open my $TOUCH, "-|", "touch", "/tmp/touched" or die' ) && ls -l /tmp/touched
-rw-r--r--  1 root root  0 Jun 23 15:13 /tmp/touched

Even in docker run perl:latest:

prompt% docker run --rm -it perl:latest bash -c 'perl -Mops=:default,open <( echo '\''open my $TOUCH, "-|", "touch /tmp/touched" or die'\'' ) && ls -l /tmp/touched'
-rw-r--r--  1 root root  0 Jun 23 15:13 /tmp/touched

This is somewhat unexpected, since system() also dies "correctly":

prompt% perl -Mops=:default,open <( echo 'system "touch", "/tmp/touched" or die' ) && ls -l /tmp/touched
'system' trapped by operation mask at /dev/fd/63 line 1.

Expected behavior

"Expected" might be a strong word... I was hoping it would be clever enough to block the system() (and/or pipe() / fork() / execve() etc.) calls as well.

Like I say, the end result of this whole exercise may just be adding a warning to the documentation... «shrug»

Perl configuration

This is straight out of docker run --rm perl:latest perl -V (perl:5.36.1)

Summary of my perl5 (revision 5 version 36 subversion 1) configuration:

  Platform:
    osname=linux
    osvers=5.10.0-13-cloud-amd64
    archname=x86_64-linux-gnu
    uname='linux be2b2990190c 5.10.0-13-cloud-amd64 #1 smp debian 5.10.106-1 (2022-03-17) x86_64 gnulinux '
    config_args='-Darchname=x86_64-linux-gnu -Duse64bitall -Duseshrplib -Dvendorprefix=/usr/local -des'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
  Compiler:
    cc='cc'
    ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O2'
    cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='10.2.1 20210110'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='cc'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib
    libs=-lpthread -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.31.so
    so=so
    useshrplib=true
    libperl=libperl.so
    gnulibc_version='2.31'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E -Wl,-rpath,/usr/local/lib/perl5/5.36.1/x86_64-linux-gnu/CORE'
    cccdlflags='-fPIC'
    lddlflags='-shared -O2 -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl): 
  Compile-time options:
    HAS_TIMES
    PERLIO_LAYERS
    PERL_COPY_ON_WRITE
    PERL_DONT_CREATE_GVSV
    PERL_MALLOC_WRAP
    PERL_OP_PARENT
    PERL_PRESERVE_IVUV
    USE_64_BIT_ALL
    USE_64_BIT_INT
    USE_LARGE_FILES
    USE_LOCALE
    USE_LOCALE_COLLATE
    USE_LOCALE_CTYPE
    USE_LOCALE_NUMERIC
    USE_LOCALE_TIME
    USE_PERLIO
    USE_PERL_ATOF
  Built under linux
  Compiled at Jun 13 2023 07:38:56
  @INC:
    /usr/local/lib/perl5/site_perl/5.36.1/x86_64-linux-gnu
    /usr/local/lib/perl5/site_perl/5.36.1
    /usr/local/lib/perl5/vendor_perl/5.36.1/x86_64-linux-gnu
    /usr/local/lib/perl5/vendor_perl/5.36.1
    /usr/local/lib/perl5/5.36.1/x86_64-linux-gnu
    /usr/local/lib/perl5/5.36.1

Cheers! :-D

[tonycoz]

A pull request would be welcomed.

I don't think the control over read vs write vs subprocess is something that's going to be resolved anytime soon, and if it is, it wouldn't be via Opcode, since this is a problem that occurs after the op is dispatched.

It might be possible to solve this via the PERL_IMPLICIT_SYS mechanism, but that's effectively a Windows only thing.