Fork me on GitHub
#clojure-europe
<
2020-12-23
>
dharrigan06:12:58

Good Morning!

synthomat06:12:24

Good mornin

slipset08:12:34

@dominicm please don’t ask. Happened before I joined. Now we have to live with it.

dominicm08:12:53

So far as I can tell, gremlin at least doesn't have exec() or anything like SQL has which would let them pwn you. But I'm sure vendor extensions might break that.

hequ08:12:26

good morning!

slipset09:12:59

@dominicm let me tell you that vendor extensions has so much more than that….

dominicm09:12:50

@slipset how do I become a customer? And do you have gpus attached in production or should I use a cpu-optimized crypto coin?

slipset09:12:18

I’d go for the cpu-optimized one

slipset09:12:01

@dominicm one of my best days at work was when I did a gremlin query which happened to contain System.exit(0) . That sparked a rather big re-architecture of our gremlin stuff.

😂 9
borkdude09:12:25

That's one of the things some people use sci for: sandboxed execution without having access to System/exit etc.

slipset10:12:12

@dominicm for your bitcoin business, you might want to consider targeting companies using mongo and clojure https://github.com/michaelklishin/monger/blob/master/src/clojure/monger/ring/session_store.clj#L87

dominicm10:12:14

right, people need to get their shit together. This is not OK.

dominicm10:12:51

Right, well, I won't be touching monger.

borkdude10:12:13

Maybe make an issue there?

dominicm10:12:04

Well, it's by definition an evaluating thing.

dominicm10:12:23

There's some reduction of surface area, but any real fix would be deleting that code.

borkdude10:12:07

what is the reason for evaluation there?

thomas10:12:48

question... who controls the hostname part of a domain name? the www.http://example.com part of the domain name.

dominicm10:12:09

@borkdude pre-edn I guess, maybe for trusted services.

thomas10:12:38

I would like to have api.http://example.com on amazon, and www.http://example.com somewhere else.

dominicm10:12:39

@thomas your dns admin? :)

dominicm10:12:58

You can have those point to different places, no problem

thomas10:12:06

yes, but they have no idea how to do that they say... rather strangely enough.

dominicm10:12:12

If you'd like to manage one on AWS and one somewhere else.

borkdude10:12:13

@thomas these are settings in your domain name provider admin panel

dominicm10:12:31

Then what you're looking for is "NS delegation" which allows a sub-domain to delegate all it's DNS to a different server.

thomas10:12:38

ok, let me see if I can get to that.

thomas10:12:42

thank you all

dominicm10:12:21

https://serverfault.com/questions/530415/what-is-dns-delegation SOA and NS is what you're looking for if you want AWS to be able to create http://foo.api.example.com, etc.

dominicm10:12:44

I've used this with hosted zones a lot to create dev areas with terraform that don't have to worry about what they're a part of.

slipset10:12:44

I think there is room for a Clojure based security firm

slipset10:12:59

I’m sure there are other vulnerabilities out there. Anyone done a thorough check of friend or buddy?

slipset10:12:44

@dominicm what’s the problem with the print-dup I see it’s printing with a reader-eval, but how do you exploit that (since it’s only printing a date?) https://github.com/michaelklishin/monger/issues/59

borkdude10:12:25

@slipset re-defining print-dup for a type you don't own in a library is an anti-pattern

slipset10:12:57

anti-patterns are different from security issues?

borkdude10:12:30

well, it could become a security issue if the print-dup does stuff you don't trust ;)

borkdude10:12:01

but then again, libraries can launch missiles if you don't watch out, so once you use them, you pretty much own them

slipset10:12:33

Right, so maybe @dominicm was more commenting on the quality of the library more than a security concern.

borkdude10:12:24

I've seen other people do this for serializing types. It's unfortunate that many multi-methods don't support a pluggable hierarchy

borkdude10:12:58

The alternative would be to postwalk (or prewalk?) data yourself and not use print-dup

dominicm10:12:24

@borkdude Yeah, I didn't like either of those things.

dominicm10:12:36

Seeing the print-dup just made me extra grumpy :)

dominicm10:12:45

I'm on holiday so taking shots from the sofa is my thing now

dominicm11:12:53

I guess, quick, use grasp to see how many libraries call read-string.

borkdude11:12:15

yep, pretty easy to do

dominicm11:12:34

grasp . "#{'clojure.core/read-string}" am I doing it right? :)

borkdude11:12:57

@dominicm Are you going to run this over the entire clojars?

borkdude11:12:41

In that case I recommend using the JVM, since it's faster with lots of throughput. The spec: (g/seq 'read-string (s/+ any?))

slipset11:12:46

.m2 would be a good start

slipset11:12:26

It’s only core/read-string that’s a problem edn/read-string should be safe.

borkdude11:12:55

Just change this script: https://gist.github.com/borkdude/e6f0b12f9352f3375e5f3277d2aba6c9 It runs in 15 seconds over my entire .m2. Ok, for resolving to clojure.core/read-string, let me cook up a different spec.

dominicm11:12:08

@borkdude ^ yeah, I was trying to do a fully-qualified clojure.core

borkdude11:12:40

just a minute

slipset11:12:13

I think what’s happening now is exactly why I love this channel.

slipset11:12:43

I’m getting ready to submit some PR’s 🙂

dominicm11:12:38

> I'm more of a problems than a solutions kinda person. don't pull me into your prs ;)

slipset11:12:05

I never conflate.

slipset11:12:11

nor complect

slipset11:12:15

Not even in my PRs

dominicm11:12:32

@borkdude how do you spec with a fully qualified var?

slipset11:12:19

On more of a tangent. We use Hacker1 to constantly be pen-tested. Which is a lot better than being pen-tested once a year or something. But it’s still black-box pen testing. It would be interesting with a Clojure focussed white-box pen-testing company.

dominicm11:12:49

@slipset are you not constantly pwned with that gremlin issue?

slipset11:12:11

No, because we’ve rearchitetured.

dominicm11:12:36

ah I see :)

borkdude11:12:13

In your .m2 for example

slipset11:12:21

Each customer gets its own, sandboxed container which runs on 0.25 CPU and 1GB ram 🙂

slipset11:12:55

So, bitcoin mining might not be so interesting, and they’re only capable of DOS’ing themselves.

borkdude11:12:28

there may be some false positives. feel free to report them in the grasp repo

slipset11:12:17

2:18 $ /tmp/find_read_str.clj
Missing required argument for "-M ALIASES"

borkdude11:12:24

I think one problem currently is that it doesn't take into account :refer-clojure + exclude

slipset11:12:35

maybe I’m on an old something

borkdude11:12:46

^Mjar:file:./repository/lein-shell/lein-shell/0.5.0/lein-shell-0.5.0.jar!/leiningen/shell.clj:42:20
(read-string lookup-str)
jar:file:./repository/nrepl/nrepl/0.4.5/nrepl-0.4.5.jar!/nrepl/core.clj:152:25
(read-string value)

slipset11:12:53

That could’ve been a edn/read-string I guess.

borkdude11:12:23

(this is an older version clj-http, this is probably fixed in a newer one)

borkdude11:12:53

hmm, no it's still there

slipset11:12:19

But it’s inside a *read-eval* false

slipset11:12:23

So it’s ok.

borkdude11:12:22

ring core middleware cookies also has it, but I guess we already saw this one? or was it with monger?

slipset11:12:43

THat was monger

borkdude11:12:19

But there you go, a read-string analyzer ;)

slipset13:12:52

A colleague!

borkdude13:12:11

@slipset Is Ardoq a remote company or is Dave Russell from Norway?

Dave Russell13:12:10

Hey folks! @borkdude I realized when you pointed me here that our interest in read-string must have come from the same place 😛

Dave Russell13:12:14

I live in Norway

👋 9
orestis13:12:43

Καλημέρα!

p-himik14:12:20

Καλημέρα. :) Was surprised to see Greek in here. I live in Cyprus myself now (although I'm not Greek myself).

orestis15:12:20

There’s #clojure-greece with a few members but it’s usually quiet

p-himik15:12:17

I imagine #clojure-cyprus would have only me. :D But that's OK. Maybe I'll join that one once I learn Greek to at least some extent. :)

otfrom16:12:10

surely a Καλημέρα in #clojure-greece a day would start to get things going

😄 3
orestis16:12:24

I’m actually living in Denmark so perhaps I should go in #clojure-denmark

otfrom18:12:20

:why not both gif:

thomas14:12:13

dang... suddenly it is becoming very popular here.... welcome!

pez14:12:53

Good morning!

🌅 3
orestis18:12:17

Christmas Break is finally here so I’ll try to stay away from phones and computers as much as possible. Happy holidays everyone and see you on the other side of the year :)

slipset18:12:32

Happy holidays @orestis and thanks for airing your thoughts here!

slipset18:12:14

I’m planning to look into deployment for clj-commons this Christmas.

slipset18:12:46

My goal is to move it as much as possible off my computer and let circle take care of it.

pez19:12:37

My plan for Christmas is to try improve Calva.

calva 15
👍 3