Fork me on GitHub
#clojure
<
2018-04-10
>
benzap00:04:25

I'm curious about the edn format. Is there a way to inject code in the edn format to be evaluated? Have any security issues cropped up?

noisesmith00:04:19

@benzap that's the difference between clojure.core/read and clojure.edn/read

noisesmith00:04:39

there's an optional read-eval for the one in core, clojure.edn eliminates that

benzap00:04:48

Interesting, so the only way you could run erroneous code in the edn format is if you explicitly tell it to evaluate?

noisesmith00:04:07

it's not erroneous per se, it's an explicit feature

noisesmith00:04:27

we can't prove there are no code injection bugs, but afaik there are none known

noisesmith00:04:35

+user=> (read-string "#=(+ 1 1)")
2
+user=> (clojure.edn/read-string "#=(+ 1 1)")
RuntimeException No dispatch macro for: =  clojure.lang.Util.runtimeException (Util.java:221)

noisesmith00:04:36

if you care about performance, interop with other langues, or extensibility, there's some advantages to using the cognitect/transit library instead of edn directly

benzap00:04:12

That makes for a good test, i'm trying to develop some sort of a scripting language in clojure, and i'm trying to sandbox it. So far it reads in quoted values

benzap00:04:39

it failed the #=(+ 1 1) value, so maybe i'll have to pass it through the edn reader

andy.fingerhut00:04:55

Some background on clojure.core/read vs. the edn-limited version of read: http://clojuredocs.org/clojure.core/read

πŸ‘ 4
andy.fingerhut01:04:36

There is a *read-eval* dynamic var you can bind to false during calls to clojure.core/read, but if you are really reading from an untrusted/possibly-malicious source, I wouldn't count on it.

caleb.macdonaldblack07:04:16

What does cljc stand for?

rauh07:04:02

@caleb.macdonaldblack Pretty sure the c is for "conditionall"

caleb.macdonaldblack07:04:50

@rauh Ahh that make sense. Cheers

thomas07:04:03

http://planet.clojure.in/ seems to have lost its DNS

thomas07:04:23

@bg Are you aware of this?

Alex Miller (Clojure team)12:04:41

As in common to many platforms

notid17:04:24

It looks like slamhound isn’t really maintained. Are there alternative namespace cleanup/linters out there that folks use regularly?

noisesmith18:04:14

@brycecovert a lot of tools that are used regularly stop getting updated because they rely directly on clojure.core - the clojure.core apis are very stable, and if they aren't dealing with unstable interop it's easy to reach a point where it's effectively "done". There's nothing that's like slamhound but better maintained if that's what you hope to find.

noisesmith18:04:17

clearly slamhound does have a lot of open issues though

notid18:04:39

Yeah, the regulary stability of clojars at version 0.1.x is always surprising. However, it looks like there are some key features that are broken in slamhound for for patterns popular in clojure 1.9 (https://github.com/technomancy/slamhound/issues/79)

notid18:04:02

Sounds like I just need to go fix it πŸ™‚

noisesmith18:04:37

@brycecovert official word from the author on #clojure on IRC: "it's resting" - haha

notid18:04:51

there we go. πŸ˜‰

benzap22:04:32

Almost finished the first alpha of a stack-based scripting language in clojure https://i.imgur.com/IzG35TU.png

benzap22:04:13

Why you ask? I don't know why

πŸ˜‚ 12
benzap22:04:54

It actually runs on the edn-format, so it could be used to make a sandboxed terminal for requests, extending it is super easy