Don't execute code for the perl linter

Question

Don't execute code for the perl linter

trinitum opened this issue 7 years ago · comments

In some cases syntax check may result in executing the code, which might be a problem if somebody opens a file from untrusted source, here's an example with Perl:

$ echo test > /tmp/foobar.txt
$ ls /tmp/foobar.txt
/tmp/foobar.txt
$ echo "BEGIN { unlink '/tmp/foobar.txt' }" > unlink.pl
$ vim unlink.pl # just open the file and exit
$ ls /tmp/foobar.txt
ls: cannot access /tmp/foobar.txt: No such file or directory

wouldn't it make sense to keep all the checkers disabled by default and make users to explicitly enable those that they need?

w0rp · Answer 1 · Sat Dec 02 2017 00:29:50 GMT+0800 (China Standard Time)

For which linter? Linters typically shouldn't execute much code by default, and those that do should be disabled by default.

w0rp · Answer 2 · Sat Dec 02 2017 00:30:30 GMT+0800 (China Standard Time)

All linters will remain enabled by default, except for those which might actually cause problems.

Pavel Shaydo · Answer 3 · Sat Dec 02 2017 04:40:15 GMT+0800 (China Standard Time)

it's perl -c, it executes BEGIN blocks

w0rp · Answer 4 · Sat Dec 02 2017 19:59:13 GMT+0800 (China Standard Time)

Okay, I updated the issue.

w0rp · Answer 5 · Sat Dec 02 2017 20:27:37 GMT+0800 (China Standard Time)

Now -w is the default for perl instead of -c. The documentation explains the security problems and tells you how to change the option if you want to. That will be the default now and forever because it's safer.

Pavel Shaydo · Answer 6 · Sun Dec 03 2017 03:58:03 GMT+0800 (China Standard Time)

I'm sorry, but that's completely wrong. -w is essentially the same as -Mwarnings it enables warnings, so perl -w file.pl will execute the whole script, not just BEGIN and CHECK blocks as perl -c. The previous implementation was correct, perl -c is what you run if you want to check the syntax of the perl script, but by design it executes BEGIN and CHECK blocks, there's simply no way to check the syntax of perl script without executing them. And that's fine when you are using it to check the syntax of your scripts, but if script comes from untrusted source it might be a problem, which is why I suggested you to disable it by default. My guess is that average person, not familiar with Perl, doesn't expect that opening a perl script in their favorite text editor may result in executing some code.

w0rp · Answer 7 · Sun Dec 03 2017 04:38:01 GMT+0800 (China Standard Time)

Okay then, I'll disable it completely by default.

w0rp · Answer 8 · Sun Dec 03 2017 04:41:56 GMT+0800 (China Standard Time)

Try being more respectful when you speak.

w0rp · Answer 9 · Sun Dec 03 2017 04:44:00 GMT+0800 (China Standard Time)

Now it's disabled by default.

Evan Carroll · Answer 10 · Wed Jan 15 2020 12:09:18 GMT+0800 (China Standard Time)

For those wanting to re-enable it,

let g:ale_linters = {'perl': ['perl','perlcritic'] }

Evan Carroll · Answer 11 · Wed Jan 15 2020 12:15:23 GMT+0800 (China Standard Time)

As a side note, @trinitum is not right here.

perl -w file.pl enables warnings, parses, compiles, runs BEGIN and CHECK blocks in compile time phase, and executes in a runtime phase.
perl -c file.pl parses, compiles, runs BEGIN and CHECK blocks in compile time phase, , does not enter runtime phase
perl -wc file.pl enables warnings, parses, compiles, runs BEGIN and CHECK block, does not enter runtime phase

The right most way to invoke perl, is with -wc. It's still unsafe, but it will generate more verbose output.