avoiding exploit in perl variable extrapolation from file

I am optimizing a very time/memory consuming program by running it over a dataset and under multiple parameters. For each "run", I have a csv file, "setup.csv" set up wit开发者_如何学编程h "runNumber","Command" for each run. I then import this into a perl script to read the command for the run number I would like, extrapolate the variables, then execute it on the system via the system command. Should I be worried about the potential for this to be exploited, (I am worried right now)? If so, what can I do to protect our server? My plan now is to change the file permissions of the "setup.csv" to read only and ownership to root, then go in as root whenever I need to append another run to the list. Thank you very much for your time.

Run your code in taint mode with -T. That will force you to carefully launder your data. Only pass through strings that are ones you are expecting. Do not launder with .*, but rather check against a list of good strings.

Ideally, there a list of known acceptable values, and you validate against that.

Either way, you want to avoid the shell by using the multi-argument form of system or by using IPC::System::Simple's systemx.

If you can't avoid the shell, you must properly convert the text to pass to the command into shell literals.

Even then, you have to be careful of values that start with -. Lots of tools accept -- to denote the end options, allowing other values to be passed safely.

Finally, you might want to make sure the args don't contain the NUL character (\0).

systemx('tool', '--', @args)

Note: Passing arbitrary strings is not possible in Windows. Extra validation is required.