Add Ability to Detect RCE Attacks Via Backticks

[cp1992]

Problem: Currently the default ruleset includes many of the common keywords/commands that can be used to trigger an RCE attack, e.g. system, eval, exec, and qx. However, it does not provide a solution for executing a system command using the backtick syntax, e.g.

my $cmd = "ls -a $folder" # assume $folder is dynamic/user provided value; if unchecked, could result in RCE attack
my @results = `$cmd`

Is there a way to write a rule or add functionality to allow for zarn to identify and flag this kind of code?

[htrgouvea]

Hi @cp1992! This is a great question!

At the moment, ZARN looks just for "risks functions" and then checks if some payload can be used to perform an attack. So, in the current structure we cannot create any rules for this use case of Backticks =/ (I'm trying to put more functionality into ZARN and will consider this use case.)

I don't know much about Perl::Critic but it also has some security checks, is it covered for this case?

[cp1992]

@htrgouvea Perl::Critic was not able to flag this issue either, in fact it misses many of the issues your tool identifies. If this is something that could be considered for addition that would be awesome! Your tool is very useful and your efforts much appreciated.

[htrgouvea]

Thank you @cp1992! Any other suggestions you have, feel free to open more issues or pull requests. Features or ideas for new rules are always welcome.