All the Perl that's Practical to Extract and Report

RATS

KM on 2002-10-07T13:01:19

Odud writes "RATS, the Rough Auditing Tool for Security, is a security auditing utility for C, C++, Python, Perl and PHP code. RATS scans source code, finding potentially dangerous function calls. The goal of this project is not to definitively find bugs. The current goal is to provide a reasonable starting point for performing manual security audits. Produced by Secure Software" Uses a database so you can alter what you want it to look for. Not a replacement for using stricture or your head but is a good place to start some security auditing on your Perl.

Similar Software

dweomer on 2002-10-07T22:33:45

You can also get FlawFinder from David Wheelers page: http://www.dwheeler.com/flawfinder/

Flawfinder does the same kind of scan that RATS does so why not use both?

Sample Output

Odud on 2002-10-08T08:27:56

Here's some sample output from running RATS against a random script of mine.
  $ rats /usr/contrib/bin/difference.pl
Entries in perl database: 33
Entries in python database: 62
Entries in c database: 334
Entries in php database: 55
Analyzing /usr/contrib/bin/difference.pl /usr/contrib/bin/difference.pl:75: Medium: open /usr/contrib/bin/difference.pl:88: Medium: open /usr/contrib/bin/difference.pl:116: Medium: open /usr/contrib/bin/difference.pl:210: Medium: open
The filename argument of open should be carefully checked if it is being created
  with any user-supplied string as a compontent of it. Strings should be checked
for occurences of path backtracking/relative path components (../ as an example)
, or nulls, which may cause the underlying C call to interpret the filename to o
pen differently than expected. It is also important to make sure that the final
filename does not end in a "|", as this will cause the path to be executed.

Basically all the open statements are of the form
  open(FILE1,"$input1") or die "Can't open $input1 $!";
so these are reasonable comments.
 
The product depends on filename suffices to determine the language - although you can override this by argument.

Re:Sample Output

acme on 2002-10-08T11:12:06

Context is quite important. I ran this recently on a bunch of scripts and it mistakenly complained about DBI connect calls (where it was searching for potential socket connect issues - oops) and it complained about eval in some embedded JavaScript code (as if it was Perl's eval). Well, yes, but it's JavaScript: you can't do anything useful without eval. I caught many more problems by hand, unfortunately, such as SQL injection issues and in fact most of the problems listed on owasp. Knowing about security issues is important ;-)