This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2018-04-10
Channels
- # aleph (4)
- # architecture (4)
- # aws (1)
- # beginners (64)
- # cider (26)
- # clara (9)
- # cljs-dev (45)
- # cljsrn (1)
- # clojars (8)
- # clojure (31)
- # clojure-finland (3)
- # clojure-italy (3)
- # clojure-nl (3)
- # clojure-poland (9)
- # clojure-spec (1)
- # clojure-uk (81)
- # clojurescript (35)
- # core-async (1)
- # cursive (33)
- # datomic (29)
- # editors (4)
- # emacs (2)
- # fulcro (22)
- # jobs (4)
- # leiningen (2)
- # off-topic (20)
- # onyx (1)
- # portkey (17)
- # proton (2)
- # re-frame (20)
- # reagent (36)
- # remote-jobs (1)
- # ring-swagger (1)
- # rum (2)
- # shadow-cljs (179)
- # slack-help (1)
- # spacemacs (1)
- # test-check (20)
I'm curious about the edn format. Is there a way to inject code in the edn format to be evaluated? Have any security issues cropped up?
@benzap that's the difference between clojure.core/read and clojure.edn/read
there's an optional read-eval for the one in core, clojure.edn eliminates that
Interesting, so the only way you could run erroneous code in the edn format is if you explicitly tell it to evaluate?
it's not erroneous per se, it's an explicit feature
we can't prove there are no code injection bugs, but afaik there are none known
+user=> (read-string "#=(+ 1 1)")
2
+user=> (clojure.edn/read-string "#=(+ 1 1)")
RuntimeException No dispatch macro for: = clojure.lang.Util.runtimeException (Util.java:221)
if you care about performance, interop with other langues, or extensibility, there's some advantages to using the cognitect/transit library instead of edn directly
That makes for a good test, i'm trying to develop some sort of a scripting language in clojure, and i'm trying to sandbox it. So far it reads in quoted values
Some background on clojure.core/read vs. the edn-limited version of read: http://clojuredocs.org/clojure.core/read
There is a *read-eval* dynamic var you can bind to false during calls to clojure.core/read, but if you are really reading from an untrusted/possibly-malicious source, I wouldn't count on it.
What does cljc stand for?
@caleb.macdonaldblack Pretty sure the c is for "conditionall"
@rauh Ahh that make sense. Cheers
http://planet.clojure.in/ seems to have lost its DNS
The c in cljc is for common @caleb.macdonaldblack @rauh
As in common to many platforms
It looks like slamhound isnβt really maintained. Are there alternative namespace cleanup/linters out there that folks use regularly?
@brycecovert a lot of tools that are used regularly stop getting updated because they rely directly on clojure.core - the clojure.core apis are very stable, and if they aren't dealing with unstable interop it's easy to reach a point where it's effectively "done". There's nothing that's like slamhound but better maintained if that's what you hope to find.
clearly slamhound does have a lot of open issues though
Yeah, the regulary stability of clojars at version 0.1.x is always surprising. However, it looks like there are some key features that are broken in slamhound for for patterns popular in clojure 1.9 (https://github.com/technomancy/slamhound/issues/79)
Sounds like I just need to go fix it π
@brycecovert official word from the author on #clojure on IRC: "it's resting" - haha
there we go. π
Almost finished the first alpha of a stack-based scripting language in clojure https://i.imgur.com/IzG35TU.png
