Perl Security Patterns
Comprehensive security guidelines for Perl applications covering input validation, injection prevention, and secure coding practices.
When to Activate
- Handling user input in Perl applications
- Building Perl web applications (CGI, Mojolicious, Dancer2, Catalyst)
- Reviewing Perl code for security vulnerabilities
- Performing file operations with user-supplied paths
- Executing system commands from Perl
- Writing DBI database queries
How It Works
Start with taint-aware input boundaries, then move outward: validate and untaint inputs, keep filesystem and process execution constrained, and use parameterized DBI queries everywhere. The examples below show the safe defaults this skill expects you to apply before shipping Perl code that touches user input, the shell, or the network.
Taint Mode
Perl's taint mode (-T) tracks data from external sources and prevents it from being used in unsafe operations without explicit validation.
Enabling Taint Mode
perl1#!/usr/bin/perl -T 2use v5.36; 3 4# Tainted: anything from outside the program 5my $input = $ARGV[0]; # Tainted 6my $env_path = $ENV{PATH}; # Tainted 7my $form = <STDIN>; # Tainted 8my $query = $ENV{QUERY_STRING}; # Tainted 9 10# Sanitize PATH early (required in taint mode) 11$ENV{PATH} = '/usr/local/bin:/usr/bin:/bin'; 12delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
Untainting Pattern
perl1use v5.36; 2 3# Good: Validate and untaint with a specific regex 4sub untaint_username($input) { 5 if ($input =~ /^([a-zA-Z0-9_]{3,30})$/) { 6 return $1; # $1 is untainted 7 } 8 die "Invalid username: must be 3-30 alphanumeric characters\n"; 9} 10 11# Good: Validate and untaint a file path 12sub untaint_filename($input) { 13 if ($input =~ m{^([a-zA-Z0-9._-]+)$}) { 14 return $1; 15 } 16 die "Invalid filename: contains unsafe characters\n"; 17} 18 19# Bad: Overly permissive untainting (defeats the purpose) 20sub bad_untaint($input) { 21 $input =~ /^(.*)$/s; 22 return $1; # Accepts ANYTHING — pointless 23}
Input Validation
Allowlist Over Blocklist
perl1use v5.36; 2 3# Good: Allowlist — define exactly what's permitted 4sub validate_sort_field($field) { 5 my %allowed = map { $_ => 1 } qw(name email created_at updated_at); 6 die "Invalid sort field: $field\n" unless $allowed{$field}; 7 return $field; 8} 9 10# Good: Validate with specific patterns 11sub validate_email($email) { 12 if ($email =~ /^([a-zA-Z0-9._%+-]+\@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})$/) { 13 return $1; 14 } 15 die "Invalid email address\n"; 16} 17 18sub validate_integer($input) { 19 if ($input =~ /^(-?\d{1,10})$/) { 20 return $1 + 0; # Coerce to number 21 } 22 die "Invalid integer\n"; 23} 24 25# Bad: Blocklist — always incomplete 26sub bad_validate($input) { 27 die "Invalid" if $input =~ /[<>"';&|]/; # Misses encoded attacks 28 return $input; 29}
Length Constraints
perl1use v5.36; 2 3sub validate_comment($text) { 4 die "Comment is required\n" unless length($text) > 0; 5 die "Comment exceeds 10000 chars\n" if length($text) > 10_000; 6 return $text; 7}
Safe Regular Expressions
ReDoS Prevention
Catastrophic backtracking occurs with nested quantifiers on overlapping patterns.
perl1use v5.36; 2 3# Bad: Vulnerable to ReDoS (exponential backtracking) 4my $bad_re = qr/^(a+)+$/; # Nested quantifiers 5my $bad_re2 = qr/^([a-zA-Z]+)*$/; # Nested quantifiers on class 6my $bad_re3 = qr/^(.*?,){10,}$/; # Repeated greedy/lazy combo 7 8# Good: Rewrite without nesting 9my $good_re = qr/^a+$/; # Single quantifier 10my $good_re2 = qr/^[a-zA-Z]+$/; # Single quantifier on class 11 12# Good: Use possessive quantifiers or atomic groups to prevent backtracking 13my $safe_re = qr/^[a-zA-Z]++$/; # Possessive (5.10+) 14my $safe_re2 = qr/^(?>a+)$/; # Atomic group 15 16# Good: Enforce timeout on untrusted patterns 17use POSIX qw(alarm); 18sub safe_match($string, $pattern, $timeout = 2) { 19 my $matched; 20 eval { 21 local $SIG{ALRM} = sub { die "Regex timeout\n" }; 22 alarm($timeout); 23 $matched = $string =~ $pattern; 24 alarm(0); 25 }; 26 alarm(0); 27 die $@ if $@; 28 return $matched; 29}
Safe File Operations
Three-Argument Open
perl1use v5.36; 2 3# Good: Three-arg open, lexical filehandle, check return 4sub read_file($path) { 5 open my $fh, '<:encoding(UTF-8)', $path 6 or die "Cannot open '$path': $!\n"; 7 local $/; 8 my $content = <$fh>; 9 close $fh; 10 return $content; 11} 12 13# Bad: Two-arg open with user data (command injection) 14sub bad_read($path) { 15 open my $fh, $path; # If $path = "|rm -rf /", runs command! 16 open my $fh, "< $path"; # Shell metacharacter injection 17}
TOCTOU Prevention and Path Traversal
perl1use v5.36; 2use Fcntl qw(:DEFAULT :flock); 3use File::Spec; 4use Cwd qw(realpath); 5 6# Atomic file creation 7sub create_file_safe($path) { 8 sysopen(my $fh, $path, O_WRONLY | O_CREAT | O_EXCL, 0600) 9 or die "Cannot create '$path': $!\n"; 10 return $fh; 11} 12 13# Validate path stays within allowed directory 14sub safe_path($base_dir, $user_path) { 15 my $real = realpath(File::Spec->catfile($base_dir, $user_path)) 16 // die "Path does not exist\n"; 17 my $base_real = realpath($base_dir) 18 // die "Base dir does not exist\n"; 19 die "Path traversal blocked\n" unless $real =~ /^\Q$base_real\E(?:\/|\z)/; 20 return $real; 21}
Use File::Temp for temporary files (tempfile(UNLINK => 1)) and flock(LOCK_EX) to prevent race conditions.
Safe Process Execution
List-Form system and exec
perl1use v5.36; 2 3# Good: List form — no shell interpolation 4sub run_command(@cmd) { 5 system(@cmd) == 0 6 or die "Command failed: @cmd\n"; 7} 8 9run_command('grep', '-r', $user_pattern, '/var/log/app/'); 10 11# Good: Capture output safely with IPC::Run3 12use IPC::Run3; 13sub capture_output(@cmd) { 14 my ($stdout, $stderr); 15 run3(\@cmd, \undef, \$stdout, \$stderr); 16 if ($?) { 17 die "Command failed (exit $?): $stderr\n"; 18 } 19 return $stdout; 20} 21 22# Bad: String form — shell injection! 23sub bad_search($pattern) { 24 system("grep -r '$pattern' /var/log/app/"); # If $pattern = "'; rm -rf / #" 25} 26 27# Bad: Backticks with interpolation 28my $output = `ls $user_dir`; # Shell injection risk
Also use Capture::Tiny for capturing stdout/stderr from external commands safely.
SQL Injection Prevention
DBI Placeholders
perl1use v5.36; 2use DBI; 3 4my $dbh = DBI->connect($dsn, $user, $pass, { 5 RaiseError => 1, 6 PrintError => 0, 7 AutoCommit => 1, 8}); 9 10# Good: Parameterized queries — always use placeholders 11sub find_user($dbh, $email) { 12 my $sth = $dbh->prepare('SELECT * FROM users WHERE email = ?'); 13 $sth->execute($email); 14 return $sth->fetchrow_hashref; 15} 16 17sub search_users($dbh, $name, $status) { 18 my $sth = $dbh->prepare( 19 'SELECT * FROM users WHERE name LIKE ? AND status = ? ORDER BY name' 20 ); 21 $sth->execute("%$name%", $status); 22 return $sth->fetchall_arrayref({}); 23} 24 25# Bad: String interpolation in SQL (SQLi vulnerability!) 26sub bad_find($dbh, $email) { 27 my $sth = $dbh->prepare("SELECT * FROM users WHERE email = '$email'"); 28 # If $email = "' OR 1=1 --", returns all users 29 $sth->execute; 30 return $sth->fetchrow_hashref; 31}
Dynamic Column Allowlists
perl1use v5.36; 2 3# Good: Validate column names against an allowlist 4sub order_by($dbh, $column, $direction) { 5 my %allowed_cols = map { $_ => 1 } qw(name email created_at); 6 my %allowed_dirs = map { $_ => 1 } qw(ASC DESC); 7 8 die "Invalid column: $column\n" unless $allowed_cols{$column}; 9 die "Invalid direction: $direction\n" unless $allowed_dirs{uc $direction}; 10 11 my $sth = $dbh->prepare("SELECT * FROM users ORDER BY $column $direction"); 12 $sth->execute; 13 return $sth->fetchall_arrayref({}); 14} 15 16# Bad: Directly interpolating user-chosen column 17sub bad_order($dbh, $column) { 18 $dbh->prepare("SELECT * FROM users ORDER BY $column"); # SQLi! 19}
DBIx::Class (ORM Safety)
perl1use v5.36; 2 3# DBIx::Class generates safe parameterized queries 4my @users = $schema->resultset('User')->search({ 5 status => 'active', 6 email => { -like => '%@example.com' }, 7}, { 8 order_by => { -asc => 'name' }, 9 rows => 50, 10});
Web Security
XSS Prevention
perl1use v5.36; 2use HTML::Entities qw(encode_entities); 3use URI::Escape qw(uri_escape_utf8); 4 5# Good: Encode output for HTML context 6sub safe_html($user_input) { 7 return encode_entities($user_input); 8} 9 10# Good: Encode for URL context 11sub safe_url_param($value) { 12 return uri_escape_utf8($value); 13} 14 15# Good: Encode for JSON context 16use JSON::MaybeXS qw(encode_json); 17sub safe_json($data) { 18 return encode_json($data); # Handles escaping 19} 20 21# Template auto-escaping (Mojolicious) 22# <%= $user_input %> — auto-escaped (safe) 23# <%== $raw_html %> — raw output (dangerous, use only for trusted content) 24 25# Template auto-escaping (Template Toolkit) 26# [% user_input | html %] — explicit HTML encoding 27 28# Bad: Raw output in HTML 29sub bad_html($input) { 30 print "<div>$input</div>"; # XSS if $input contains <script> 31}
CSRF Protection
perl1use v5.36; 2use Crypt::URandom qw(urandom); 3use MIME::Base64 qw(encode_base64url); 4 5sub generate_csrf_token() { 6 return encode_base64url(urandom(32)); 7}
Use constant-time comparison when verifying tokens. Most web frameworks (Mojolicious, Dancer2, Catalyst) provide built-in CSRF protection — prefer those over hand-rolled solutions.
Session and Header Security
perl1use v5.36; 2 3# Mojolicious session + headers 4$app->secrets(['long-random-secret-rotated-regularly']); 5$app->sessions->secure(1); # HTTPS only 6$app->sessions->samesite('Lax'); 7 8$app->hook(after_dispatch => sub ($c) { 9 $c->res->headers->header('X-Content-Type-Options' => 'nosniff'); 10 $c->res->headers->header('X-Frame-Options' => 'DENY'); 11 $c->res->headers->header('Content-Security-Policy' => "default-src 'self'"); 12 $c->res->headers->header('Strict-Transport-Security' => 'max-age=31536000; includeSubDomains'); 13});
Output Encoding
Always encode output for its context: HTML::Entities::encode_entities() for HTML, URI::Escape::uri_escape_utf8() for URLs, JSON::MaybeXS::encode_json() for JSON.
CPAN Module Security
- Pin versions in cpanfile:
requires 'DBI', '== 1.643'; - Prefer maintained modules: Check MetaCPAN for recent releases
- Minimize dependencies: Each dependency is an attack surface
Security Tooling
perlcritic Security Policies
ini1# .perlcriticrc — security-focused configuration 2severity = 3 3theme = security + core 4 5# Require three-arg open 6[InputOutput::RequireThreeArgOpen] 7severity = 5 8 9# Require checked system calls 10[InputOutput::RequireCheckedSyscalls] 11functions = :builtins 12severity = 4 13 14# Prohibit string eval 15[BuiltinFunctions::ProhibitStringyEval] 16severity = 5 17 18# Prohibit backtick operators 19[InputOutput::ProhibitBacktickOperators] 20severity = 4 21 22# Require taint checking in CGI 23[Modules::RequireTaintChecking] 24severity = 5 25 26# Prohibit two-arg open 27[InputOutput::ProhibitTwoArgOpen] 28severity = 5 29 30# Prohibit bare-word filehandles 31[InputOutput::ProhibitBarewordFileHandles] 32severity = 5
Running perlcritic
bash1# Check a file 2perlcritic --severity 3 --theme security lib/MyApp/Handler.pm 3 4# Check entire project 5perlcritic --severity 3 --theme security lib/ 6 7# CI integration 8perlcritic --severity 4 --theme security --quiet lib/ || exit 1
Quick Security Checklist
| Check | What to Verify |
|---|---|
| Taint mode | -T flag on CGI/web scripts |
| Input validation | Allowlist patterns, length limits |
| File operations | Three-arg open, path traversal checks |
| Process execution | List-form system, no shell interpolation |
| SQL queries | DBI placeholders, never interpolate |
| HTML output | encode_entities(), template auto-escape |
| CSRF tokens | Generated, verified on state-changing requests |
| Session config | Secure, HttpOnly, SameSite cookies |
| HTTP headers | CSP, X-Frame-Options, HSTS |
| Dependencies | Pinned versions, audited modules |
| Regex safety | No nested quantifiers, anchored patterns |
| Error messages | No stack traces or paths leaked to users |
Anti-Patterns
perl1# 1. Two-arg open with user data (command injection) 2open my $fh, $user_input; # CRITICAL vulnerability 3 4# 2. String-form system (shell injection) 5system("convert $user_file output.png"); # CRITICAL vulnerability 6 7# 3. SQL string interpolation 8$dbh->do("DELETE FROM users WHERE id = $id"); # SQLi 9 10# 4. eval with user input (code injection) 11eval $user_code; # Remote code execution 12 13# 5. Trusting $ENV without sanitizing 14my $path = $ENV{UPLOAD_DIR}; # Could be manipulated 15system("ls $path"); # Double vulnerability 16 17# 6. Disabling taint without validation 18($input) = $input =~ /(.*)/s; # Lazy untaint — defeats purpose 19 20# 7. Raw user data in HTML 21print "<div>Welcome, $username!</div>"; # XSS 22 23# 8. Unvalidated redirects 24print $cgi->redirect($user_url); # Open redirect
Remember: Perl's flexibility is powerful but requires discipline. Use taint mode for web-facing code, validate all input with allowlists, use DBI placeholders for every query, and encode all output for its context. Defense in depth — never rely on a single layer.
