Skip to content

fix: code injection vulnerability in digest-bench#5

Draft
toddr-bot wants to merge 22 commits into
gisle:masterfrom
Dual-Life:koan.toddr.bot/fix-digest-bench-injection
Draft

fix: code injection vulnerability in digest-bench#5
toddr-bot wants to merge 22 commits into
gisle:masterfrom
Dual-Life:koan.toddr.bot/fix-digest-bench-injection

Conversation

@toddr-bot
Copy link
Copy Markdown

@toddr-bot toddr-bot commented Apr 7, 2026

Summary

SECURITYdigest-bench uses eval "require $mod" which allows arbitrary Perl code execution when the module name argument is attacker-controlled. This may warrant a vulnerability report.

  • Replace eval "require $mod" with safe bare require (convert :: to /, same pattern as Digest.pm)
  • Declare my $a instead of clobbering the special $a sort variable

Why

Line 8 of digest-bench used eval "require $mod" where $mod comes directly from @ARGV. An attacker (or careless user) could pass "Digest::MD5; system('rm -rf /')" and the injected code would execute inside the eval. The safe pattern used in Digest.pm itself (lines 42-47) converts :: to / and uses bare require, which only loads files and cannot execute arbitrary code.

How

Two-commit approach per security flagging conventions:

  1. First commit adds a PoC test that creates a canary file via injection — proves the vulnerability is real
  2. Second commit applies the fix — the test then passes

Testing

  • PoC test confirms injection no longer works (canary file is not created)
  • digest-bench Digest::MD5 still produces correct benchmark output
  • Full test suite passes: 4 files, 24 tests, all green

🤖 Generated with Claude Code

toddr and others added 22 commits October 6, 2020 09:56
@toddr
Update .gitignore and get make manifest working
6a04491
@toddr
CI Workflow
26b2c8e
@toddr
Move Digest to a more modern directory tree layout
e5c4fa9
@toddr
Ignore dist dirs
2840efe
@toddr
Enable strict/warnings for code and tests
1cd2105 
Drop use vars
@toddr
Provide a consistent tidy to the code base
5232b0f
@toddr
Get rid of bareword file handles
c5f564a
@toddr
Modernize the changelog
218c33f
@toddr
Pending changes updated
90e28da
@Grinnz
Makefile.PL - use meta-spec 2, fix prereqs, compatibility with old EUMM
10dcd67 
- meta-spec 2 resources format
- dependencies are static, set dynamic_config 0
- EUMM will set configure_requires on itself
- Test::More only used in tests
- boilerplate to clean out unsupported keys if installed with old EUMM
@toddr
Merge pull request #1 from Dual-Life/Grinnz-patch-1
00e00fa 
Makefile.PL - use meta-spec 2, fix prereqs, compatibility with old EUMM
@toddr
Github readme
cb8f7c3
@toddr
Update README
6422aaf
@toddr
Use File::Temp for temporary test files
2d9adf4
@toddr
Bump to 1.18 for release to CPAN
cd0af7f
@tonycoz @toddr
Remove . from @inc when loading optional modules.
ec5f16c
@toddr
Bump to 1.19 for release to CPAN
44aff5a
@jkeenan
Unlink temporary files created during testing
f8f3772
@toddr
Merge pull request #7 from jkeenan/cleanup-tempfiles-20210823
37fdefe 
base.t, file.t: unlink temporary files created during testing
@toddr
Update changelog and version to 1.20 for release to CPAN.
c2be766 
Ignore common temp files in repo.
@toddr-bot @claude
test: add PoC for code injection vulnerability in digest-bench
e54487f 
eval "require $mod" allows arbitrary Perl execution when the module
name is attacker-controlled. This test proves it by injecting code
that creates a canary file after a valid require statement.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@toddr-bot @claude
fix: replace eval "require $mod" with safe bare require in digest-bench
a204d31 
The eval-based require allowed arbitrary code execution when the module
name argument contained injected Perl code (e.g., "Digest::MD5; system(...)").

Replace with the same safe pattern used in Digest.pm: convert :: to /
in the module name and use bare require, which only loads files.

Also declare $a with my to avoid clobbering the special sort variable.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@toddr-bot @toddr @Grinnz @tonycoz @jkeenan