extract version much more safely

Author: karenetheridge

Changes

@@ -4,6 +4,8 @@ Release history for Module-Metadata
   - eliminated dependency on IO::File (and by virtue, XS) - thanks, leont!
   - removed cruft in test infrastructure left behind from separation from
     Module::Build (ether)
+  - now extracting module version a Safe compartment in a subprocess
+    (RT#89283)
 
 1.000019 - 2013-10-06
   - warnings now disabled inside during the evaluation of generated version

Makefile.PL

@@ -22,6 +22,11 @@ WriteMakefile(
     'vars'        => 0,
     'version'     => 0.87,
     'warnings'    => 0,
+    'Exporter'    => 0,
+    'File::Temp'  =>'0.18',
+    'IPC::Open3'  => 0,
+    'Symbol'      => 0,
+    'Safe'        => 0,
     $] < 5.008
       ? ( 'IO::Scalar' => 0 )
       : ()

lib/Module/Metadata.pm

@@ -590,23 +590,13 @@ sub _parse_fh {
         $need_vers = 0 if $version_package eq $package;
 
         unless ( defined $vers{$version_package} && length $vers{$version_package} ) {
-        $vers{$version_package} = eval_version(
-          sigil => $version_sigil,
-          variable_name => $version_fullname,
-          string => $line,
-          filename => $self->{filename},
-        );
+        $vers{$version_package} = eval_version($line);
       }
 
       # first non-comment line in undeclared package main is VERSION
       } elsif ( !exists($vers{main}) && $package eq 'main' && $version_fullname ) {
         $need_vers = 0;
-        my $v = eval_version(
-          sigil => $version_sigil,
-          variable_name => $version_fullname,
-          string => $line,
-          filename => $self->{filename},
-        );
+        my $v = eval_version($line);
         $vers{$package} = $v;
         push( @packages, 'main' );
 
@@ -619,12 +609,7 @@ sub _parse_fh {
       # only keep if this is the first $VERSION seen
       } elsif ( $version_fullname && $need_vers ) {
         $need_vers = 0;
-        my $v = eval_version(
-          sigil => $version_sigil,
-          variable_name => $version_fullname,
-          string => $line,
-          filename => $self->{filename},
-        );
+        my $v = eval_version($line);
 
         unless ( defined $vers{$package} && length $vers{$package} ) {
           $vers{$package} = $v;

lib/Module/Metadata/ExtractVersion.pm

@@ -6,139 +6,178 @@ package Module::Metadata::ExtractVersion;
 use parent 'Exporter';
 our @EXPORT_OK = qw/eval_version/;
 
-use Carp qw/croak/;
+use File::Spec;
+use File::Temp 0.18;
+use IPC::Open3 qw(open3);
+use Symbol 'gensym';
+
+# Win32 is slow to spawn processes
+my $TIMEOUT = $^O eq 'MSWin32' ? 5 : 2;
 
 =func eval_version
 
+    my $version = eval_version( q[our $VERSION = "1.23"] );
+
 Given a (decoded) string (usually a single line) that contains a C<$VERSION>
 declaration, this function will evaluate it in a L<Safe> compartment in a
-separate process.  If the C<$VERSION> is a valid version string according to
-L<version>, it will return it as a string, otherwise, it will return undef.
+separate process.  The extracted string is returned; it is B<not> validated
+against required syntax for versions at this level, so the caller should
+normally do something like C<< version::is_lax($version) >> before proceeding
+to use this data.
 
 =cut
 
 sub eval_version
 {
-    my (%args) = @_;
-
-    return _evaluate_version_line(
-        $args{sigil},
-        $args{variable_name},
-        $args{string},
-        $args{filename},
-    );
-}
+    my ( $string, $timeout ) = @_;
+    $timeout = $TIMEOUT unless defined $timeout;
+
+    # what $VERSION are we looking for?
+    my ( $sigil, $var ) = $string =~ /([\$*])(([\w\:\']*)\bVERSION)\b.*\=/;
+    return unless $sigil && $var;
+
+    # munge string: remove "use version" as we do that already and the "use"
+    # will get stopped by the Safe compartment
+    $string =~ s/(?:use|require)\s+version[^;]*/1/;
+
+    # create test file
+    my $temp = File::Temp->new;
+    print {$temp} _pl_template( $string, $sigil, $var );
+    close $temp;
+
+    my $rc;
+    my $result;
+    my $err = gensym;
+    my $pid = open3(my $in, my $out, $err, $^X, $temp);
+    my $killer;
+    if ($^O eq 'MSWin32') {
+        $killer = fork;
+        if (!defined $killer) {
+            die "Can't fork: $!";
+        }
+        elsif ($killer == 0) {
+            sleep $timeout;
+            kill 'KILL', $pid;
+            exit 0;
+        }
+    }
+    my $got = eval {
+        local $SIG{ALRM} = sub { die "alarm\n" };
+        alarm $timeout;
+        local $/;
+        $result = readline $out;
+        my $c = waitpid $pid, 0;
+        alarm 0;
+        ( $c != $pid ) || $?;
+    };
+    if ( $@ eq "alarm\n" ) {
+        kill 'KILL', $pid;
+        waitpid $pid, 0;
+        $rc = $?;
+    }
+    else {
+        $rc = $got;
+    }
+    if ($killer) {
+        kill 'KILL', $killer;
+        waitpid $killer, 0;
+    }
 
-# transported directly from Module::Metadata
-{
-my $pn = 0;
-sub _evaluate_version_line {
-  my( $sigil, $variable_name, $line, $filename ) = @_;
-
-  # Some of this code came from the ExtUtils:: hierarchy.
-
-  # We compile into $vsub because 'use version' would cause
-  # compiletime/runtime issues with local()
-  my $vsub;
-  $pn++; # everybody gets their own package
-  my $eval = qq{BEGIN { my \$dummy = q#  Hide from _packages_inside()
-    #; package Module::Metadata::_version::p$pn;
-    use version;
-    no strict;
-    no warnings;
-
-      \$vsub = sub {
-        local $sigil$variable_name;
-        \$$variable_name=undef;
-        $line;
-        \$$variable_name
-      };
-  }};
-
-  $eval = $1 if $eval =~ m{^(.+)}s;
-
-  local $^W;
-  # Try to get the $VERSION
-  eval $eval;
-  # some modules say $VERSION = $Foo::Bar::VERSION, but Foo::Bar isn't
-  # installed, so we need to hunt in ./lib for it
-  if ( $@ =~ /Can't locate/ && -d 'lib' ) {
-    local @INC = ('lib',@INC);
-    eval $eval;
-  }
-  warn "Error evaling version line '$eval' in $filename: $@\n"
-    if $@;
-  (ref($vsub) eq 'CODE') or
-    croak "failed to build version sub for $filename";
-  my $result = eval { $vsub->() };
-  croak "Could not get version from $filename by executing:\n$eval\n\nThe fatal error was: $@\n"
-    if $@;
-
-  # Upgrade it into a version object
-  my $version = eval { _dwim_version($result) };
-
-  croak "Version '$result' from $filename does not appear to be valid:\n$eval\n\nThe fatal error was: $@\n"
-    unless defined $version; # "0" is OK!
-
-  return $version;
-}
-}
+    return if $rc || !defined $result; # error condition
 
-# Try to DWIM when things fail the lax version test in obvious ways
-{
-  my @version_prep = (
-    # Best case, it just works
-    sub { return shift },
-
-    # If we still don't have a version, try stripping any
-    # trailing junk that is prohibited by lax rules
-    sub {
-      my $v = shift;
-      $v =~ s{([0-9])[a-z-].*$}{$1}i; # 1.23-alpha or 1.23b
-      return $v;
-    },
-
-    # Activestate apparently creates custom versions like '1.23_45_01', which
-    # cause version.pm to think it's an invalid alpha.  So check for that
-    # and strip them
-    sub {
-      my $v = shift;
-      my $num_dots = () = $v =~ m{(\.)}g;
-      my $num_unders = () = $v =~ m{(_)}g;
-      my $leading_v = substr($v,0,1) eq 'v';
-      if ( ! $leading_v && $num_dots < 2 && $num_unders > 1 ) {
-        $v =~ s{_}{}g;
-        $num_unders = () = $v =~ m{(_)}g;
-      }
-      return $v;
-    },
-
-    # Worst case, try numifying it like we would have before version objects
-    sub {
-      my $v = shift;
-      no warnings 'numeric';
-      return 0 + $v;
-    },
-
-  );
-
-  sub _dwim_version {
-    my ($result) = shift;
-
-    return $result if ref($result) eq 'version';
-
-    my ($version, $error);
-    for my $f (@version_prep) {
-      $result = $f->($result);
-      $version = eval { version->new($result) };
-      $error ||= $@ if $@; # capture first failure
-      last if defined $version;
-    }
+##  print STDERR "# C<< $string >> --> $result" if $result =~ /^ERROR/;
+    return if $result =~ /^ERROR/;
 
-    croak $error unless defined $version;
+    $result =~ s/[\r\n]+\z//;
 
-    return $version;
-  }
+    # treat '' the same as undef: no version was found
+    undef $result if $result eq '';
+
+    return $result;
+}
+
+sub _pl_template {
+    my ( $string, $sigil, $var ) = @_;
+    return <<"HERE"
+use version;
+use Safe;
+use File::Spec;
+open STDERR, '>', File::Spec->devnull;
+open STDIN, '<', File::Spec->devnull;
+
+my \$comp = Safe->new;
+\$comp->permit("entereval"); # for MBARBON/Module-Info-0.30.tar.gz
+\$comp->share("*version::new");
+\$comp->share("*version::numify");
+\$comp->share_from('main', ['*version::',
+                            '*Exporter::',
+                            '*DynaLoader::']);
+\$comp->share_from('version', ['&qv']);
+
+my \$code = <<'END';
+    local $sigil$var;
+    \$$var = undef;
+    do {
+        $string
+    };
+    \$$var;
+END
+
+my \$result = \$comp->reval(\$code);
+print "ERROR: \$@\n" if \$@;
+exit unless defined \$result;
+
+eval { \$result = version->parse(\$result)->stringify };
+print \$result;
+
+HERE
 }
 
 1;
+
+=head1 SYNOPSIS
+
+    use Version::Eval qw/eval_version/;
+
+    my $version = eval_version( $unsafe_string );
+
+=head1 DESCRIPTION
+
+Package versions are defined by a string such as this:
+
+    package Foo;
+    our $VERSION = "1.23";
+
+If we want to know the version of a F<.pm> file, we can
+load it and check C<Foo->VERSION> for the package.  But that means any
+buggy or hostile code in F<Foo.pm> gets run.
+
+The safe thing to do is to parse out a string that looks like an assignment
+to C<$VERSION> and then evaluate it.  But even that could be hostile:
+
+    package Foo;
+    our $VERSION = do { my $n; $n++ while 1 }; # infinite loop
+
+This module executes a potential version string in a separate process in
+a L<Safe> compartment with a timeout to avoid as much risk as possible.
+
+Hostile code might still attempt to consume excessive resources, but the
+timeout should limit the problem.
+
+=head1 SEE ALSO
+
+=over 4
+
+* L<Parse::PMFile>
+
+* L<V>
+
+* L<use Module::Info>
+
+* L<Module::InstalledVersion>
+
+* L<Module::Version>
+
+=back
+
+=cut