All geek questions in one place

Preventing Unauthorized Code Execution

I am currently writing an application that takes a series of Clojure forms, and when they are evaluated, the results are listed

so for example the input would be

(data "abc" :identifier) (data "gee" :identifier) (content "def" :identifier [1 2 3 4 5])

The functions in the backend basically just turn them into Clojure cards, for example.

 (defn data [text id] {:text text :id id}) (defn content [text id cont] {:text text :id id :cont cont})

The problem is that I am currently processing the code, accepting input from (-> input read-string eval) and getting the contents accordingly. This is bad because anyone can just add a tricky (System/exit 1) to enter and shut down the JVM

Is there a way to β€œwhitelist” Clojure forms that can be completed in this step and blacklist all the nasty things? Or am I too naive to use Clojure forms as a data entry mechanism?

+4
source share
2 answers

If you only have a fixed whitelist of valid functions, you can easily collapse it here. Just use a map like {'data data, 'content content} , matching symbols with allowed functions and looking at the first element of their form (which is a function call) on the map. If it is there, it maps directly to the function you want to call, and you can pass it the rest of the form as arguments.

+4
source

Check out Clojail and its great video from the 2011 Clojure Conj !

you can interact with it on # clojure on irc.freenode.net and try to break it if you want: it follows the lazybot handle. It is also used at 4clojure.org

+6
source

Source: https://habr.com/ru/post/1399480/

More articles:


All Articles