File Coverage

blib/lib/Net/DNS/Paranoid.pm

Criterion	Covered	Total	%
statement	90	93	96.7
branch	55	76	72.3
condition	41	63	65.0
subroutine	11	12	91.6
pod	2	2	100.0
total	199	246	80.8

line	stmt	bran	cond	sub	pod	time	code
1							package Net::DNS::Paranoid;
2	2			2		205827	use strict;
	2					6
	2					112
3	2			2		12	use warnings;
	2					3
	2					71
4	2			2		60	use 5.008008;
	2					12
	2					197
5							our $VERSION = '0.07';
6
7							use Class::Accessor::Lite (
8	2					18	rw => [qw(timeout blocked_hosts whitelisted_hosts resolver)]
9	2			2		2786	);
	2					3004
10	2			2		2678	use Net::DNS;
	2					274946
	2					3222
11
12							sub new {
13	1			1	1	4185	my $class = shift;
14	1	50				5	my %args = @_ ==1 ? %{$_[0]} : @_;
	0					0
15	1		33			6	$args{resolver} \|\|= Net::DNS::Resolver->new;
16	1		50			7	$args{whitelisted_hosts} \|\|= [];
17	1		50			9	$args{blocked_hosts} \|\|= [];
18	1					6	bless {
19							timeout => 15,
20							%args
21							}, $class;
22							}
23
24							sub resolve {
25	18			18	1	41115	my ($self, $name, $start_time, $timeout) = @_;
26	18	50				76	$start_time = time() if not defined $start_time;
27	18	50				90	$timeout = $self->timeout if not defined $timeout;
28
29	18					129	my ($addrs, $errmsg) = $self->_resolve($name, $start_time, $timeout);
30	18					130	return ($addrs, $errmsg);
31							}
32
33							sub _resolve {
34	19			19		29	my ($self, $host, $start_time, $timeout, $depth) = @_;
35	19					55	my $res = $self->resolver;
36	19		100			160	$depth \|\|= 0;
37
38	19	50				55	return (undef, "CNAME recursion depth limit exceeded.") if $depth > 10;
39	19	100				60	return (undef, "DNS lookup resulted in bad host.") if $self->_bad_host($host);
40
41							# return the IP address if it looks like one and wasn't marked bad
42	4	50				18	return ([$host]) if $host =~ /^\d+\.\d+\.\d+\.\d+$/;
43
44	4	50				24	my $sock = $res->bgsend($host)
45							or return (undef, "No sock from bgsend");
46
47							# wait for the socket to become readable, unless this is from our test
48							# mock resolver.
49	4	100	66			7548	unless ($sock && $sock eq "MOCK") {
50	2					7	my $rin = '';
51	2					11	vec($rin, fileno($sock), 1) = 1;
52	2					15	my $nf = select($rin, undef, undef, $self->_time_remain($start_time));
53	2	50				22	return (undef, "DNS lookup timeout") unless $nf;
54							}
55
56	4	50				23	my $packet = $res->bgread($sock)
57							or return (undef, "DNS bgread failure");
58	4					1460	$sock = undef;
59
60	4					62	my @addr;
61							my $cname;
62	4					28	foreach my $rr ($packet->answer) {
63	4	100				55	if ($rr->type eq "A") {
		50
64	3	100				76	return (undef, "Suspicious DNS results from A record") if $self->_bad_host($rr->address);
65							# untaints the address:
66	2					9	push @addr, join(".", ($rr->address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/));
67							} elsif ($rr->type eq "CNAME") {
68							# will be checked for validity in the recursion path
69	1					33	$cname = $rr->cname;
70							}
71							}
72
73	3	100				127	return (\@addr) if @addr;
74	1	50				3	return ([]) unless $cname;
75	1					9	return $self->_resolve($cname, $start_time, $timeout, $depth + 1);
76							}
77
78							# returns seconds remaining given a request
79							sub _time_remain {
80	2			2		4	my $self = shift;
81	2					4	my $start_time = shift;
82
83	2					913	return $start_time + $self->{timeout} - time();
84							}
85
86							sub _host_list_match {
87	47			47		62	my $self = shift;
88	47					52	my $list_name = shift;
89	47					51	my $host = shift;
90
91	47	50				48	foreach my $rule (@{ $self->{$list_name} \|\| [] }) {
	47					249
92	48	50				148	if (ref $rule eq "CODE") {
		100
93	0	0				0	return 1 if $rule->($host);
94							} elsif (ref $rule) {
95							# assume regexp
96	25	100				170	return 1 if $host =~ /$rule/;
97							} else {
98	23	100				116	return 1 if $host eq $rule;
99							}
100							}
101							}
102
103
104							sub _bad_host {
105	22			22		59	my $self = shift;
106	22					52	my $host = lc(shift);
107
108	22	50				66	return 0 if $self->_host_list_match("whitelisted_hosts", $host);
109	22	100				50	return 1 if $self->_host_list_match("blocked_hosts", $host);
110	20	100	66			147	return 1 if
111							$host =~ /^localhost$/i \|\| # localhost is bad. even though it'd be stopped in
112							# a later call to _bad_host with the IP address
113							$host =~ /\s/i; # any whitespace is questionable
114
115							# Let's assume it's an IP address now, and get it into 32 bits.
116							# Uf at any time something doesn't look like a number, then it's
117							# probably a hostname and we've already either whitelisted or
118							# blacklisted those, so we'll just say it's okay and it'll come
119							# back here later when the resolver finds an IP address.
120	19					75	my @parts = split(/\./, $host);
121	19	50				52	return 0 if @parts > 4;
122
123							# un-octal/un-hex the parts, or return if there's a non-numeric part
124	19					26	my $overflow_flag = 0;
125	19					32	foreach (@parts) {
126	45	100	100			243	return 0 unless /^\d+$/ \|\| /^0x[a-f\d]+$/;
127	41			0		229	local $SIG{__WARN__} = sub { $overflow_flag = 1; };
	0					0
128	41	100				271	$_ = oct($_) if /^0/;
129							}
130
131							# a purely numeric address shouldn't overflow.
132	15	50				42	return 1 if $overflow_flag;
133
134	15					15	my $addr; # network order packed IP address
135
136	15	100				60	if (@parts == 1) {
		100
		100
		100
137							# a - 32 bits
138	2	50				10	return 1 if
139							$parts[0] > 0xffffffff;
140	2					9	$addr = pack("N", $parts[0]);
141							} elsif (@parts == 2) {
142							# a.b - 8.24 bits
143	4	50	33			25	return 1 if
144							$parts[0] > 0xff \|\|
145							$parts[1] > 0xffffff;
146	4					17	$addr = pack("N", $parts[0] << 24 \| $parts[1]);
147							} elsif (@parts == 3) {
148							# a.b.c - 8.8.16 bits
149	1	50	33			13	return 1 if
			33
150							$parts[0] > 0xff \|\|
151							$parts[1] > 0xff \|\|
152							$parts[2] > 0xffff;
153	1					5	$addr = pack("N", $parts[0] << 24 \| $parts[1] << 16 \| $parts[2]);
154							} elsif (@parts == 4) {
155							# a.b.c.d - 8.8.8.8 bits
156	7	50	33			80	return 1 if
			33
			33
157							$parts[0] > 0xff \|\|
158							$parts[1] > 0xff \|\|
159							$parts[2] > 0xff \|\|
160							$parts[3] > 0xff;
161	7					41	$addr = pack("N", $parts[0] << 24 \| $parts[1] << 16 \| $parts[2] << 8 \| $parts[3]);
162							} else {
163	1					6	return 1;
164							}
165
166	14					45	my $haddr = unpack("N", $addr); # host order IP address
167	14	100	100			279	return 1 if
			100
			66
			66
			66
			100
			100
			100
			66
168							($haddr & 0xFF000000) == 0x00000000 \|\| # 0.0.0.0/8
169							($haddr & 0xFF000000) == 0x0A000000 \|\| # 10.0.0.0/8
170							($haddr & 0xFF000000) == 0x7F000000 \|\| # 127.0.0.0/8
171							($haddr & 0xFFF00000) == 0xAC100000 \|\| # 172.16.0.0/12
172							($haddr & 0xFFFF0000) == 0xA9FE0000 \|\| # 169.254.0.0/16
173							($haddr & 0xFFFF0000) == 0xC0A80000 \|\| # 192.168.0.0/16
174							($haddr & 0xFFFFFF00) == 0xC0000200 \|\| # 192.0.2.0/24 "TEST-NET" docs/example code
175							($haddr & 0xFFFFFF00) == 0xC0586300 \|\| # 192.88.99.0/24 6to4 relay anycast addresses
176							$haddr == 0xFFFFFFFF \|\| # 255.255.255.255
177							($haddr & 0xF0000000) == 0xE0000000; # multicast addresses
178
179							# as final IP address check, pass in the canonical a.b.c.d decimal form
180							# to the blacklisted host check to see if matches as bad there.
181	3					12	my $can_ip = join(".", map { ord } split //, $addr);
	12					29
182	3	100				13	return 1 if $self->_host_list_match("blocked_hosts", $can_ip);
183
184							# looks like an okay IP address
185	2					10	return 0;
186							}
187
188							1;
189							__END__