On Oct 22, 1:30 pm, "Brett Morgan" <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> I am thinking about a potential architecture for a webapp where in the
> server gets s expressions posted from an ajax web client.
>
> From a security standpoint, the s expressions are coming from an untrusted
> computer, and thus are in need of careful vetting.
>
> With my java dev hat on, i'd move forward by building a lexer, a parser, and
> a tree walker to interpret the incoming datastream, with careful
> consideration to the various potential attacks a malicious user can submit.
>
> I understand the lisp way is to use the reader plus macros to interpret the
> incoming data stream. This is hella cool in that it seriously cuts down on
> the amount of development work I have to do. The reader is already done, and
> using macros to build the tree walker? And have them applied to a stm core?
> Very lightweight in comparison to what I'd do traditionally. Very cool.
>
> My concern is, what are the security considerations of this architectural
> choice? Do I have to worry about people submitting malformed s expressions?
> Submitting s expressions that contain data that expands out reader macros?
> Do I have to watch for any particular bad code practices in constructing the
> macros? How do I go about error recovery and reporting on bad input?
>
> Thanks in advance.
>
Hi Brett,
Yes, being able to use the clojure reader directly is really neat.
Some things you could do are:
- use a separate namespace for evaluation the expressions
and provide a clear interface between the core and the sexpressions
that you get.
- have a black or white list, and allow or reject the s-expression
based on this. For example you might want to disallow namespace
switching functions. E.g. below, I can't clobber defn as I am
in the 'user' namespace and 'defn' is in the clojure ns.
user=> (def defn :somethig-bad)
java.lang.Exception: Name conflict, can't def defn because
namespace: user refers to:#=(var clojure/defn) (NO_SOURCE_FILE:1)
user=>
Some other things you may want to reject expressions based on
are java interop and file IO.
This should basically be a find operation for a bunch of symbols
on the list before you give it to the reader 'read'
- Recently the #= reader macro was added. This makes the reader
do the evaluation before using the value. You may want to
disable this. E.g.
user=> #=(+ 1 1)
2
I am not sure how to disable this. There is a
similar thing #. in CL and it is important to disable it before
reading potentially unsafe expressions. Maybe Rich or someone
else can comment on how to disable this.
I suppose a lot of this is dictated by what you want to do with
the s-expressions.
Parth
> --
>
> Brett Morganhttp://brett.morgan.googlepages.com/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Clojure" group.
To post to this group, send email to clojure@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
-~----------~----~----~----~------~----~------~--~---
