This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
- # adventofcode (135)
- # announcements (9)
- # babashka (27)
- # beginners (97)
- # bristol-clojurians (8)
- # calva (7)
- # chlorine-clover (1)
- # cider (3)
- # clara (16)
- # clj-kondo (9)
- # cljdoc (137)
- # clojars (4)
- # clojure (110)
- # clojure-europe (118)
- # clojure-taiwan (8)
- # clojure-uk (19)
- # clojurescript (30)
- # conjure (6)
- # cryogen (32)
- # datomic (11)
- # depstar (1)
- # duct (4)
- # emacs (6)
- # fulcro (73)
- # graalvm (9)
- # keechma (7)
- # leiningen (16)
- # luminus (1)
- # malli (35)
- # meander (3)
- # off-topic (45)
- # pathom (1)
- # pedestal (2)
- # re-frame (3)
- # reagent (31)
- # reitit (2)
- # reveal (17)
- # shadow-cljs (34)
- # tools-deps (11)
- # xtdb (14)
So far as I can tell, gremlin at least doesn't have exec() or anything like SQL has which would let them pwn you. But I'm sure vendor extensions might break that.
@slipset how do I become a customer? And do you have gpus attached in production or should I use a cpu-optimized crypto coin?
@dominicm one of my best days at work was when I did a gremlin query which happened to contain
System.exit(0) . That sparked a rather big re-architecture of our gremlin stuff.
That's one of the things some people use sci for: sandboxed execution without having access to System/exit etc.
@dominicm for your bitcoin business, you might want to consider targeting companies using mongo and clojure https://github.com/michaelklishin/monger/blob/master/src/clojure/monger/ring/session_store.clj#L87
Also, nope https://github.com/michaelklishin/monger/blob/master/src/clojure/monger/ring/session_store.clj#L63
There's some reduction of surface area, but any real fix would be deleting that code.
question... who controls the hostname part of a domain name? the www.http://example.com part of the domain name.
I would like to have api.http://example.com on amazon, and www.http://example.com somewhere else.
Then what you're looking for is "NS delegation" which allows a sub-domain to delegate all it's DNS to a different server.
https://serverfault.com/questions/530415/what-is-dns-delegation SOA and NS is what you're looking for if you want AWS to be able to create http://foo.api.example.com, etc.
I've used this with hosted zones a lot to create dev areas with terraform that don't have to worry about what they're a part of.
I’m sure there are other vulnerabilities out there. Anyone done a thorough check of friend or buddy?
@dominicm what’s the problem with the
print-dup I see it’s printing with a reader-eval, but how do you exploit that (since it’s only printing a date?)
@slipset re-defining print-dup for a type you don't own in a library is an anti-pattern
well, it could become a security issue if the print-dup does stuff you don't trust ;)
but then again, libraries can launch missiles if you don't watch out, so once you use them, you pretty much own them
Right, so maybe @dominicm was more commenting on the quality of the library more than a security concern.
I've seen other people do this for serializing types. It's unfortunate that many multi-methods don't support a pluggable hierarchy
The alternative would be to postwalk (or prewalk?) data yourself and not use print-dup
In that case I recommend using the JVM, since it's faster with lots of throughput.
(g/seq 'read-string (s/+ any?))
Just change this script: https://gist.github.com/borkdude/e6f0b12f9352f3375e5f3277d2aba6c9 It runs in 15 seconds over my entire .m2. Ok, for resolving to clojure.core/read-string, let me cook up a different spec.
> I'm more of a problems than a solutions kinda person. don't pull me into your prs ;)
On more of a tangent. We use Hacker1 to constantly be pen-tested. Which is a lot better than being pen-tested once a year or something. But it’s still black-box pen testing. It would be interesting with a Clojure focussed white-box pen-testing company.
@dominicm @slipset Just run as bash script. https://gist.github.com/borkdude/57984ca1df6c3cf8f302196cb37b0f43
So, bitcoin mining might not be so interesting, and they’re only capable of DOS’ing themselves.
I think one problem currently is that it doesn't take into account :refer-clojure + exclude
^Mjar:file:./repository/lein-shell/lein-shell/0.5.0/lein-shell-0.5.0.jar!/leiningen/shell.clj:42:20 (read-string lookup-str) jar:file:./repository/nrepl/nrepl/0.4.5/nrepl-0.4.5.jar!/nrepl/core.clj:152:25 (read-string value)
ring core middleware cookies also has it, but I guess we already saw this one? or was it with monger?
https://github.com/ring-clojure/ring/blob/5727d4dc8d8998653d4258fc275e6f711f63408d/ring-core/src/ring/middleware/cookies.clj#L51 This is old.
This file has lots of read-strings: https://github.com/cognitect-labs/aws-api/blob/master/src/cognitect/aws/shape.clj
Hey folks! @borkdude I realized when you pointed me here that our interest in
read-string must have come from the same place 😛
I live in Norway
Welcome @kkasidiaris! 👋
Καλημέρα. :) Was surprised to see Greek in here. I live in Cyprus myself now (although I'm not Greek myself).
I imagine #clojure-cyprus would have only me. :D But that's OK. Maybe I'll join that one once I learn Greek to at least some extent. :)
Christmas Break is finally here so I’ll try to stay away from phones and computers as much as possible. Happy holidays everyone and see you on the other side of the year :)
My goal is to move it as much as possible off my computer and let circle take care of it.