Fork me on GitHub
#off-topic
<
2021-12-17
>
emccue04:12:16

Does anyone know/have a feel for what the current state of research is for specifically Java compiler error messages or who to reach out to for that.

hiredman05:12:14

https://openjdk.java.net/jeps/358 is the most recent thing in that vein I am aware of, it isn't actually a Java compiler feature but a jvm feature that uses debugging information the compiler emits to create friendlier (from the java perspective) null pointer errors

emccue05:12:04

@U050G2TQJ since you are way more in that world than i am

emccue05:12:50

@U0NCTKEV8 yeah but im thinking more in the realm of rust/elm “here is a visual representation of what error you made and here are some suggestions as to how to fix it”

leif19:12:08

Perhaps Frank Tip (http://www.franktip.org/) or Jonathan Aldrich (https://www.cs.cmu.edu/~aldrich/) would be good people to reach out to.

leif19:12:58

Personally I'm more familiar with compiler error design research in pedagogical, lisp, and FP spaces.

emccue20:12:14

Thank you, I’ll reach out

Cora (she/her)18:12:47

I really hope this isn't something that ends up being exploitable by untrusted users to DoS https://issues.apache.org/jira/browse/LOG4J2-3230

Cora (she/her)18:12:06

because otherwise we'll be upgrading to 2.17 now as well

Cora (she/her)18:12:56

it seems like you'd need to use a weird format string, as a developer, but at this point I'm just not counting on this not being exploitable somehow

seancorfield19:12:10

It's quite a thread to read but after a couple of readings, I think I'm concluding that it is only exploitable on 2.16.0 if you change a pattern layout to include that string? But it sounds like it is more exploitable in earlier versions?

Cora (she/her)19:12:37

it looks like things will keep on functioning in < 2.16 even if you're logging the suspect string?

seancorfield19:12:09

FWIW, with simple substitutions:

(! 569)-> clojure -J-Dclojure.tools.logging.factory=clojure.tools.logging.impl/log4j2-factory -Sdeps '{:deps {org.apache.logging.log4j/log4j-core {:mvn/version "2.16.0"} org.clojure/tools.logging {:mvn/version "RELEASE"}}}' -M:rebel
[Rebel readline] Type :repl/help for online help info
user=> (require '[clojure.tools.logging :as ctl])
nil
user=> (ctl/error "${java:version}")
[user] {} ${java:version}
nil
user=> 

Fri Dec 17 11:40:52
(sean)-(jobs:0)-(~/clojure/fresh)
(! 570)-> clojure -J-Dclojure.tools.logging.factory=clojure.tools.logging.impl/log4j2-factory -Sdeps '{:deps {org.apache.logging.log4j/log4j-core {:mvn/version "2.15.0"} org.clojure/tools.logging {:mvn/version "RELEASE"}}}' -M:rebel
[Rebel readline] Type :repl/help for online help info
user=> (require '[clojure.tools.logging :as ctl])
nil
user=> (ctl/error "${java:version}")
[user] {} ${java:version}
nil
user=> 

Fri Dec 17 11:41:12
(sean)-(jobs:0)-(~/clojure/fresh)
(! 571)-> clojure -J-Dclojure.tools.logging.factory=clojure.tools.logging.impl/log4j2-factory -Sdeps '{:deps {org.apache.logging.log4j/log4j-core {:mvn/version "2.14.1"} org.clojure/tools.logging {:mvn/version "RELEASE"}}}' -M:rebel
[Rebel readline] Type :repl/help for online help info
user=> (require '[clojure.tools.logging :as ctl])
nil
user=> (ctl/error "${java:version}")
[user] {} Java version 17
nil
user=> 

seancorfield19:12:33

(I hadn't known that was possible before this whole vuln broke the Internet!)

Ben Sless06:12:10

It looks like a fork bomb

Ben Sless06:12:39

Now here's an interesting notion, are there some generic properties of strings or format strings which can let you recognize these problems generically? Sort of "given these semantics, is this string pathological?" Further, "given these semantics, is a pathological string possible?"

seancorfield06:12:16

It seems there's a new log4j exploit -- I've read one write-up of it but don't really understand what it is saying. Something about WebSockets and opening connections to localhost and targeting listening processes... I think from reading the article that it is an expansion of the surface area for the existing vulnerability and that it is blocked by 2.16.0 but it was a fairly poor article (so I won't link it here -- I want to wait until I've read a better write-up of it).

cp4n22:12:48

What do people think is the quickest most straightforward path to a GUI app on desktop with Clojure? I know of JavaFx (but have never used) and the clj libraries I found for it look a bit old. Would electron with cljs and reagent be the way to go?

phronmophobic23:12:23

What kind of GUI app?

cp4n23:12:12

I want to make something that would utilize existing external APIs to trigger events in another running application at work. So it would basically be a couple of checkbox lists of things to select and then would make calls based on selection (maybe after that it could potentially write the history of events to a local file)

cp4n23:12:25

I just didn't necessarily want to host it on a server, was thinking more of a personal desktop utility.

phronmophobic23:12:34

If you're familiar with html/css/javascript, then cljs+reagent+electron is pretty reasonable. Have you done much html/css/cljs?

phronmophobic23:12:28

I guess it also depends on if your APIs might be easier to use from the JVM

phronmophobic23:12:57

I know cljfx is still actively maintained. I'm currently working on a pure clojure cross platfrom ui library called https://github.com/phronmophobic/membrane, but it's still in beta so there are some rough edges.

cp4n23:12:33

Its simple POST http stuff with a token auth step. I am newer to Clojure. Have yet to try CLJS yes but was definitely open to start playing around. This wasn't something I actually had to do at work, was just thinking it would potentially be a good pet project (so no client expecting anything here 😁 )

🎉 1
phronmophobic23:12:38

yea, any http(s) based API will be well supported in cljs.

cp4n23:12:58

Awesome. Membrane looks really cool BTW. Way lighter than an electron app I would imagine.

👍 1
emccue01:12:20

cljfx and seesaw for fx and swing respectively