Clojure Keyword Example Security Problem

Question

Clojure Keyword Example Security Problem

After reading this question Clojure security implications of creating a keyword from user data? , and in particular this answer , I am trying to find a case where I can demonstrate the problem in REPL. Here is an attempt:

user> *clojure-version*
{:major 1, :minor 8, :incremental 0, :qualifier nil}
user> (def a (atom 0))
#'user/a
user> (defn bad-fn []
        (println "called ")
        (swap! a inc))
#'user/bad-fn
user> @a
0
user> (keyword "#=(bad-fn)")
:#=(bad-fn)
user> @a
0

How can I reproduce this problem?

+4

security clojure

nha Jan 18 '17 at 10:20

source share

1 answer

Michał Marczyk · Accepted Answer · 2017-01-18T11:44:53+0000

The problem is not that the call keywordto the line will immediately execute any code embedded in the line, but that if you want to save the string representation in, say, (keyword "foo #=(println :bar)")a file and then destroy this file using read, you will end the execution of the embedded code.

, read , , ( ) , keyword, .

clojure.edn ( 2010 , ) #=, , - , (keyword <arbitrary-string>) , . .

Clojure Keyword Example Security Problem

More articles: