Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Anonymous function calls"

From NetSec
Jump to: navigation, search
Line 1: Line 1:
    Unsafe programmatic construct referencing
+
Unsafe programmatic construct referencing
    Dynamic referencing of functions and classes through user input is dangerous and should never be done, some examples are listed below.
+
Dynamic referencing of functions and classes through user input is dangerous and should never be done, some examples are listed below.
      Unsafe PHP examples:
+
        Anonymous function implementation example:
+
=== Unsafe PHP examples ===
 +
* Anonymous function implementation example:
 
           <?php
 
           <?php
 
             $func = $_GET['func'];
 
             $func = $_GET['func'];
 
             $func($args);
 
             $func($args);
 
           ?>           
 
           ?>           
        Anonymous object implementation example:
+
* Anonymous object implementation example:
 
           <?php
 
           <?php
 
             $class = $_GET['object_type'];
 
             $class = $_GET['object_type'];
 
             $object = new $class();
 
             $object = new $class();
 
           ?>
 
           ?>
        Anonymous object method implementation example:
+
* Anonymous object method implementation example:
 
           <?php
 
           <?php
 
             $class    = $_GET['object_type'];
 
             $class    = $_GET['object_type'];
Line 19: Line 20:
 
             $object->$method();
 
             $object->$method();
 
           ?>
 
           ?>
       
+
 
      Unsafe Perl examples:
+
=== Unsafe Perl examples ===
        Anonymous function implementation example:
+
* Anonymous function implementation example:
 
           #!/usr/bin/perl
 
           #!/usr/bin/perl
 
           $func = <>;
 
           $func = <>;
 
           $func->();
 
           $func->();
        Anonymous object implementation example:
+
* Anonymous object implementation example:
 
           #!/usr/bin/perl
 
           #!/usr/bin/perl
 
           $class = <>;
 
           $class = <>;
 
           $object = $class->new();
 
           $object = $class->new();
        Anonymous object method implementation example:
+
* Anonymous object method implementation example:
 
           #!/usr/bin/perl
 
           #!/usr/bin/perl
 
           $class = <>;
 
           $class = <>;
Line 35: Line 36:
 
           $object = $class->new()->method();
 
           $object = $class->new()->method();
 
            
 
            
      Unsafe Python examples:
+
=== Unsafe Python examples ===
        Anonymous function implementation example:
+
* Anonymous function implementation example:
 
           var = "function_name"
 
           var = "function_name"
 
           locals()[var]() # or globals()
 
           locals()[var]() # or globals()
        Anonymous object implementation example:
+
* Anonymous object implementation example:
 
           class_name = input()
 
           class_name = input()
 
           instance = globals()[class_name]()
 
           instance = globals()[class_name]()
Line 49: Line 50:
 
           any_scoped_class = lambda x:  dict(target  for classlist in  [inspect.getmembers(sys.modules[module],inspect.isclass) for module in  sys.modules]  for target in classlist)[x]()
 
           any_scoped_class = lambda x:  dict(target  for classlist in  [inspect.getmembers(sys.modules[module],inspect.isclass) for module in  sys.modules]  for target in classlist)[x]()
 
           instance = any_scoped_class(class_name)
 
           instance = any_scoped_class(class_name)
        Anonymous object method implementation example:
+
* Anonymous object method implementation example:
 
           ClassName = "ObjectName"
 
           ClassName = "ObjectName"
 
           func_name = "object_method"
 
           func_name = "object_method"
Line 55: Line 56:
 
           func = getattr(instance, func_name)
 
           func = getattr(instance, func_name)
 
           instance.func();
 
           instance.func();
      Unsafe ruby examples:
+
=== Unsafe ruby examples ===
 
         Anonymous function implementation example:
 
         Anonymous function implementation example:
 
           send("function_name")
 
           send("function_name")
Line 64: Line 65:
 
         Anonymous object method implementation example:
 
         Anonymous object method implementation example:
 
           Object.const_get("ClassName").new().send("function_name")
 
           Object.const_get("ClassName").new().send("function_name")
    Mitigation:
+
=== Mitigation ===
 
       These functions are best left unused unless the data is whitelisted and not directly based on user input. There is no safe way to allow users to call arbitrary (non-whitelisted) classes and functions. Do not do this!  Whitelists should always be in place when referencing objects from user input.
 
       These functions are best left unused unless the data is whitelisted and not directly based on user input. There is no safe way to allow users to call arbitrary (non-whitelisted) classes and functions. Do not do this!  Whitelists should always be in place when referencing objects from user input.
 
       Whitelisting examples:
 
       Whitelisting examples:
      PHP:
+
* [[PHP]]
 
           <?php
 
           <?php
 
               $class_whitelist['class_name'] = 'real_class_name';
 
               $class_whitelist['class_name'] = 'real_class_name';
Line 79: Line 80:
 
               }
 
               }
 
           ?>
 
           ?>
    Auditing:
+
=== Auditing ===
      To audit:
+
To audit:
        find -name \*.py -exec grep -EHnC2 "[a-zA-Z0-9\)]\[[^\'\"\]]\\+\]\(" '{}' \; \
+
{{code|text=<source lang="bash">find -name \*.py -exec grep -EHnC2 "[a-zA-Z0-9\)]\[[^\'\"\]]\\+\]\(" '{}' \; \
                 -o -name \*.rb -exec grep -EHnC2 "const_get\(\|send\(\|eval\(" '{}' \; &> string_comparison.txt
+
                 -o -name \*.rb -exec grep -EHnC2 "const_get\(\|send\(\|eval\(" '{}' \; </source>}}
  
 
[[Category:Secure programming]]
 
[[Category:Secure programming]]

Revision as of 01:19, 12 May 2013

Unsafe programmatic construct referencing Dynamic referencing of functions and classes through user input is dangerous and should never be done, some examples are listed below.

Unsafe PHP examples

  • Anonymous function implementation example:
          <?php
            $func = $_GET['func'];
            $func($args);
          ?>          
  • Anonymous object implementation example:
          <?php
            $class = $_GET['object_type'];
            $object = new $class();
          ?>
  • Anonymous object method implementation example:
          <?php
            $class    = $_GET['object_type'];
            $method = $_GET['method'];
            $object   = new $class();
            $object->$method();
          ?>

Unsafe Perl examples

  • Anonymous function implementation example:
          #!/usr/bin/perl
          $func = <>;
          $func->();
  • Anonymous object implementation example:
          #!/usr/bin/perl
          $class = <>;
          $object = $class->new();
  • Anonymous object method implementation example:
          #!/usr/bin/perl
          $class = <>;
          $method = <>;
          $object = $class->new()->method();
          

Unsafe Python examples

  • Anonymous function implementation example:
          var = "function_name"
          locals()[var]() # or globals()
  • Anonymous object implementation example:
          class_name = input()
          instance = globals()[class_name]()
          
          # OR
          instance = locals()[class_name]()
          
          # OR
          any_scoped_class = lambda x:  dict(target  for classlist in  [inspect.getmembers(sys.modules[module],inspect.isclass) for module in  sys.modules]  for target in classlist)[x]()
          instance = any_scoped_class(class_name)
  • Anonymous object method implementation example:
          ClassName = "ObjectName"
          func_name = "object_method"
          instance = globals()[ClassName]()
          func = getattr(instance, func_name)
          instance.func();

Unsafe ruby examples

       Anonymous function implementation example:
         send("function_name")
         
       Anonymous object implementation example:
         Object.const_get('ClassName').new()
         
       Anonymous object method implementation example:
         Object.const_get("ClassName").new().send("function_name")

Mitigation

      These functions are best left unused unless the data is whitelisted and not directly based on user input. There is no safe way to allow users to call arbitrary (non-whitelisted) classes and functions. Do not do this!  Whitelists should always be in place when referencing objects from user input.
      Whitelisting examples:
         <?php
             $class_whitelist['class_name'] = 'real_class_name';
             
             if (isset($_GET['module']) &&                                                # Check that input is defined
                 isset($class_whitelist[$_GET['module']]  &&                       # Be sure the class is in the whitelist
                 class_exists($class_whitelist[$_GET['module']])) {              # even if its whitelisted, lets make sure its a class... typos exist.
                   $class = new $class_whitelist[$_GET['module']]();            # new real_class_name() - this way user input isn't trusted directly for instantiation.
             } else {
                 # Handle Error...
             }
         ?>

Auditing

To audit:

find -name \*.py -exec grep -EHnC2 "[a-zA-Z0-9\)]\[[^\'\"\]]\\+\]\(" '{}' \; \
                -o -name \*.rb -exec grep -EHnC2 "const_get\(\|send\(\|eval\(" '{}' \;