Good Morning!

Good mornin

morning :)

@dominicm please don’t ask. Happened before I joined. Now we have to live with it.

So far as I can tell, gremlin at least doesn't have exec() or anything like SQL has which would let them pwn you. But I'm sure vendor extensions might break that.

mogge

good morning!

Morning

morning

morning!

Morning

@dominicm let me tell you that vendor extensions has so much more than that….

@slipset how do I become a customer? And do you have gpus attached in production or should I use a cpu-optimized crypto coin?

I’d go for the cpu-optimized one

@dominicm one of my best days at work was when I did a gremlin query which happened to contain System.exit(0) . That sparked a rather big re-architecture of our gremlin stuff.

That's one of the things some people use sci for: sandboxed execution without having access to System/exit etc.

@dominicm for your bitcoin business, you might want to consider targeting companies using mongo and clojure https://github.com/michaelklishin/monger/blob/master/src/clojure/monger/ring/session_store.clj#L87

😱

right, people need to get their shit together. This is not OK.

Also, nope https://github.com/michaelklishin/monger/blob/master/src/clojure/monger/ring/session_store.clj#L63

Right, well, I won't be touching monger.

Maybe make an issue there?

Well, it's by definition an evaluating thing.

There's some reduction of surface area, but any real fix would be deleting that code.

what is the reason for evaluation there?

question... who controls the hostname part of a domain name? the www.http://example.com part of the domain name.

@borkdude pre-edn I guess, maybe for trusted services.

I would like to have api.http://example.com on amazon, and www.http://example.com somewhere else.

@thomas your dns admin? :)

You can have those point to different places, no problem

yes, but they have no idea how to do that they say... rather strangely enough.

If you'd like to manage one on AWS and one somewhere else.

@thomas these are settings in your domain name provider admin panel

Then what you're looking for is "NS delegation" which allows a sub-domain to delegate all it's DNS to a different server.

ok, let me see if I can get to that.

thank you all

https://serverfault.com/questions/530415/what-is-dns-delegation SOA and NS is what you're looking for if you want AWS to be able to create http://foo.api.example.com, etc.

I've used this with hosted zones a lot to create dev areas with terraform that don't have to worry about what they're a part of.

I think there is room for a Clojure based security firm

I’m sure there are other vulnerabilities out there. Anyone done a thorough check of friend or buddy?

@dominicm what’s the problem with the print-dup I see it’s printing with a reader-eval, but how do you exploit that (since it’s only printing a date?) https://github.com/michaelklishin/monger/issues/59

@slipset re-defining print-dup for a type you don't own in a library is an anti-pattern

anti-patterns are different from security issues?

true

well, it could become a security issue if the print-dup does stuff you don't trust ;)

but then again, libraries can launch missiles if you don't watch out, so once you use them, you pretty much own them

Right, so maybe @dominicm was more commenting on the quality of the library more than a security concern.

I've seen other people do this for serializing types. It's unfortunate that many multi-methods don't support a pluggable hierarchy

The alternative would be to postwalk (or prewalk?) data yourself and not use print-dup

@borkdude Yeah, I didn't like either of those things.

Seeing the print-dup just made me extra grumpy :)

I'm on holiday so taking shots from the sofa is my thing now

I guess, quick, use grasp to see how many libraries call read-string.

yep, pretty easy to do

grasp . "#{'clojure.core/read-string}" am I doing it right? :)

@dominicm Are you going to run this over the entire clojars?

In that case I recommend using the JVM, since it's faster with lots of throughput. The spec: (g/seq 'read-string (s/+ any?))

.m2 would be a good start

It’s only core/read-string that’s a problem edn/read-string should be safe.

Just change this script: https://gist.github.com/borkdude/e6f0b12f9352f3375e5f3277d2aba6c9 It runs in 15 seconds over my entire .m2. Ok, for resolving to clojure.core/read-string, let me cook up a different spec.

@borkdude ^ yeah, I was trying to do a fully-qualified clojure.core

just a minute

I think what’s happening now is exactly why I love this channel.

I’m getting ready to submit some PR’s 🙂

> I'm more of a problems than a solutions kinda person. don't pull me into your prs ;)

I never conflate.

nor complect

Not even in my PRs

@borkdude how do you spec with a fully qualified var?

On more of a tangent. We use Hacker1 to constantly be pen-tested. Which is a lot better than being pen-tested once a year or something. But it’s still black-box pen testing. It would be interesting with a Clojure focussed white-box pen-testing company.

@slipset are you not constantly pwned with that gremlin issue?

No, because we’ve rearchitetured.

ah I see :)

@dominicm @slipset Just run as bash script. https://gist.github.com/borkdude/57984ca1df6c3cf8f302196cb37b0f43

In your .m2 for example

Each customer gets its own, sandboxed container which runs on 0.25 CPU and 1GB ram 🙂

So, bitcoin mining might not be so interesting, and they’re only capable of DOS’ing themselves.

there may be some false positives. feel free to report them in the grasp repo

2:18 $ /tmp/find_read_str.clj
Missing required argument for "-M ALIASES"

I think one problem currently is that it doesn't take into account :refer-clojure + exclude

maybe I’m on an old something

@slipset yes, upgrade

^Mjar:file:./repository/lein-shell/lein-shell/0.5.0/lein-shell-0.5.0.jar!/leiningen/shell.clj:42:20
(read-string lookup-str)
jar:file:./repository/nrepl/nrepl/0.4.5/nrepl-0.4.5.jar!/nrepl/core.clj:152:25
(read-string value)

https://github.com/hypirion/lein-shell/blob/34333d066e344d2293d68ed9c668201195e54f18/src/leiningen/shell.clj#L42

That could’ve been a edn/read-string I guess.

https://github.com/dakrone/clj-http/blob/b670648a5943501db1de29eabeb7cb143f0b06fd/src/clj_http/client.clj#L445

ooooo

(this is an older version clj-http, this is probably fixed in a newer one)

hmm, no it's still there

But it’s inside a *read-eval* false

So it’s ok.

I guess

ring core middleware cookies also has it, but I guess we already saw this one? or was it with monger?

https://github.com/ring-clojure/ring/blob/5727d4dc8d8998653d4258fc275e6f711f63408d/ring-core/src/ring/middleware/cookies.clj#L51 This is old.

THat was monger

(fixed in: https://github.com/ring-clojure/ring/issues/53)

This file has lots of read-strings: https://github.com/cognitect-labs/aws-api/blob/master/src/cognitect/aws/shape.clj

But there you go, a read-string analyzer ;)

👋 @david.russell

A colleague!

@slipset Is Ardoq a remote company or is Dave Russell from Norway?

Hey folks! @borkdude I realized when you pointed me here that our interest in read-string must have come from the same place 😛

I live in Norway

Welcome @kkasidiaris! 👋

Καλημέρα!

dang... suddenly it is becoming very popular here.... welcome!

Good morning!

Christmas Break is finally here so I’ll try to stay away from phones and computers as much as possible. Happy holidays everyone and see you on the other side of the year :)

Happy holidays @orestis and thanks for airing your thoughts here!

I’m planning to look into deployment for clj-commons this Christmas.

My goal is to move it as much as possible off my computer and let circle take care of it.

My plan for Christmas is to try improve Calva.