Don't execute code for the perl linter
trinitum opened this issue · comments
In some cases syntax check may result in executing the code, which might be a problem if somebody opens a file from untrusted source, here's an example with Perl:
$ echo test > /tmp/foobar.txt
$ ls /tmp/foobar.txt
/tmp/foobar.txt
$ echo "BEGIN { unlink '/tmp/foobar.txt' }" > unlink.pl
$ vim unlink.pl # just open the file and exit
$ ls /tmp/foobar.txt
ls: cannot access /tmp/foobar.txt: No such file or directory
wouldn't it make sense to keep all the checkers disabled by default and make users to explicitly enable those that they need?
For which linter? Linters typically shouldn't execute much code by default, and those that do should be disabled by default.
All linters will remain enabled by default, except for those which might actually cause problems.
it's perl -c
, it executes BEGIN
blocks
Okay, I updated the issue.
Now -w
is the default for perl
instead of -c
. The documentation explains the security problems and tells you how to change the option if you want to. That will be the default now and forever because it's safer.
I'm sorry, but that's completely wrong. -w
is essentially the same as -Mwarnings
it enables warnings, so perl -w file.pl
will execute the whole script, not just BEGIN
and CHECK
blocks as perl -c
. The previous implementation was correct, perl -c
is what you run if you want to check the syntax of the perl script, but by design it executes BEGIN
and CHECK
blocks, there's simply no way to check the syntax of perl script without executing them. And that's fine when you are using it to check the syntax of your scripts, but if script comes from untrusted source it might be a problem, which is why I suggested you to disable it by default. My guess is that average person, not familiar with Perl, doesn't expect that opening a perl script in their favorite text editor may result in executing some code.
Okay then, I'll disable it completely by default.
Try being more respectful when you speak.
Now it's disabled by default.
For those wanting to re-enable it,
let g:ale_linters = {'perl': ['perl','perlcritic'] }
As a side note, @trinitum is not right here.
perl -w file.pl
enables warnings, parses, compiles, runs BEGIN and CHECK blocks in compile time phase, and executes in a runtime phase.perl -c file.pl
parses, compiles, runs BEGIN and CHECK blocks in compile time phase, , does not enter runtime phaseperl -wc file.pl
enables warnings, parses, compiles, runs BEGIN and CHECK block, does not enter runtime phase
The right most way to invoke perl, is with -wc
. It's still unsafe, but it will generate more verbose output.