Is there a safe way of using eval to unthaw Data::Dumper output in Perl?

Question

I have an object that uses freezes data as such:

sub frozen_data {
    my $self = shift;

    $Data::Dumper::Indent = 0;
    $Data::Dumper::Terse  = 1;
    return Data::Dumper->Dump( [ $self->{_DATA}, ] );
}

and a corresponding thaw:

sub thaw_data {
    my ($self) = @_;

    $self->{_DATA} = eval $self->{DATA};
}

this seems to work well, are there any issues with it? I also tried running this by perlcritic, and I get this:

Expression form of "eval" at line 69, column 22.  See page 161 of PBP.  (Severity: 5)

What's the better way to write this?

Answer 1

There's no way around it if you're thawing output from Data::Dumper. An alternative is Storable.

If you're accepting untrusted inputs and handing them unchecked to eval, you should immediately redesign this mechanism because it leaves the front door wide open. For marshalling internal data, I wouldn't sweat the warning.

Answer 2

You get around it by telling Perl Critic to STFU :)

 $self->{_DATA} = eval $self->{DATA}; ## no critic

Sometimes you need to do the thing that is only generally a bad practice.

Answer 3

As long as you know the only source of that data is the frozen data you yourself have created using Dumper, you're fine.

The alternative is to use something other than Dumper, such as Storable.

Answer 4

Decide what you want to allow or forbid and set up a Safe compartment and use its reval method.