Fork me on GitHub
#portal
<
2023-02-19
>
maxweber16:02:44

Portal is awesome 🥳 @djblue thanks a lot for creating this great tool. We currently making our domain model navigable with clojure.core.protocols.Navigable This would also be very helpful to troubleshoot support cases on the production system. Of course only for authorized super admins 😄 However, does portal eval client inputs somewhere or can you think of anything else that yields a security risk, even behind a solid authentication and authorization layer?

❤️ 2
djblue18:02:14

Portal doesn't have arbitrary eval. The host runtime exposes a set of vars that can be invoked. However, you can easily add eval as an invokable function which would then allow for arbitrary eval 😆

djblue18:02:29

A bigger issue IMO would be forgetting to (remove-tap portal.api/submit) as that would lead to a memory leak for any tap> 'd values.

djblue19:02:37

In any case, getting access to arbitrary eval is easy enough that I would treat Portal as if it always has arbitrary eval

👍 2
maxweber20:02:25

Thanks a lot for your answers 🙂