perl eval() gives 'Insecure dependency in eval while running with -T switch' on string variable

Question

The variables $var and $var2 in the following code hold same value but behave differently with respect to eval().

Source:

use Data::Dumper; 

sub trim($)
{
    my $string = shift;
    $string =~ s/^\s+//;    
    $string =~ s/\s+$//;
    $string =~ s/\R//g;
    return $string;
}

my $var2="";
$var2.="{id=>1962}";
$var2.=",{id=>1645}";
$var2.=",{id=>905}";
$var2.=",{id=>273}";
$var2.=",{id=>1800}";
$var2.=",{id=>21}";
$var2.=",{id=>1639}";
$var2.=",{id=>55}";
$var2.=",{id=>57}";
$var2.=",{id=>59}";
$var2.=",{id=>420}";
$var2.=",{id=>418}";
$var2="[".$var2."]";

print Dumper $var2;
print Dumper eval($var2); #evaluates to an ARRAY

my $filename = "sample.txt";
open(FILE, $filename) or die "Can't read file 'filename' [$!]\n";  
$document = <FILE>; 
close (FILE);  
$document=trim($document);
@data = split(',', $document);     
my $var = "";
foreach my $val (@data) {
     $var.="{id=>".$val."},";               
}         
chop($var);
$var =  "[".$var."]";
print "\n";

if ($var eq $var2){
    print "var and var2 stringwise equal\n" ;
}else{
    print "var and var2 stringwise not equal\n" ;
}

print Dumper $var;
print Dumper eval($var); #error

exit(0);

Content of sample.txt:

1962,1645,905,273,1800,21,1639,55,57,59,420,418

Output:

$VAR1 = '[{id=>1962},{id=>1645},{id=>905},{id=>273},{id=>1800},{id=>21},{id=>1639},{id=>55},{id=>57},{id=>59},{id=>420},{id=>418}]';
$VAR1 = [
          {
            'id' => 1962
          },
          {
            'id' => 1645
          },
          {
            'id' => 905
          },
          {
            'id' => 273
          },
          {
            'id' => 1800
          },
          {
            'id' => 21
          },
          {
            'id' => 1639
          },
          {
            'id' => 55
          },
          {
            'id' => 57
          },
          {
            'id' => 59
          },
          {
            'id' => 420
          },
          {
            'id' => 418
          }
        ];

var and var2 stringwise equal
$VAR1 = '[{id=>1962},{id=>1645},{id=>905},{id=>273},{id=>1800},{id=>21},{id=>1639},{id=>55},{id=>57},{id=>59},{id=>420},{id=>418}]';
Insecure dependency in eval while running with -T switch at assignment.pl line 51.

Can anyone tell why "eval($var)" doesn't get evaluated despite having same value as that of $var2 ?

Answer 1

This is perl Taint Mode doing exactly what it's supposed to be doing. You're reading in data from an external resource, and perl -T is not allowing you to run tainted data through eval since that literally could end up doing anything (very insecure).

In order to launder your data you simply need to run in through a regular expression to verify what it is. Replace the following line:

#my @data = split(',', $document);     
my @data = $document =~ m/(\d+)/g;

Because we're running the external document data through a regex, the values in @data will no longer be tainted and can be eval'd.

Either way, I'd advise against using eval at all unless there is a specific reason why you need it. The following accomplishes the same thing without the need for an eval

my $var = [map {id => $_}, @data];

Answer 2

While $var might be the same as $var2 in your specific case of data, it isn't necessarily always that case. You script also doesn't forbid the eval even if it is not the same.

Thus, the tainted check is right to complain about the insecure eval, as it is intended to detect potentially unsafe operations which your eval($var) definitely is.

Generally, you should try to avoid eval wherever you can, as it is a prime source of remote-code-execution vulnerabilities. Instead, you should try to parse your data structures using other, safer means, e.g. by using split on your input data and then looping over the resulting array to produce your desired data structure.