This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2023-01-23
Channels
- # announcements (3)
- # architecture (10)
- # babashka (37)
- # beginners (69)
- # calva (2)
- # cider (10)
- # clerk (22)
- # clj-kondo (33)
- # cljdoc (44)
- # clojure (45)
- # clojure-conj (4)
- # clojure-denmark (7)
- # clojure-europe (14)
- # clojure-nl (1)
- # clojure-norway (5)
- # clojure-uk (4)
- # clojurescript (10)
- # clr (19)
- # conjure (1)
- # emacs (28)
- # events (1)
- # fulcro (1)
- # jobs (1)
- # joyride (1)
- # lsp (18)
- # malli (30)
- # membrane (3)
- # off-topic (23)
- # pathom (45)
- # portal (29)
- # proletarian (7)
- # rdf (15)
- # re-frame (21)
- # reagent (2)
- # releases (6)
- # remote-jobs (1)
- # reveal (6)
- # shadow-cljs (36)
- # slack-help (7)
- # sql (5)
- # tools-deps (3)
> so on a scale of 1-100, how bad of an idea is it to just make my “execute job” do a requiring-resolve? I’d say not so bad. The first time it’s run in the JVM process’s lifetime, it’ll take somewhere in the 10s or 100s of milliseconds, depending on how much code must be compiled during the require. After that it’s 0 milliseconds. I actually do something like that in my web route handlers without worrying too much about the speed penalty.
I figured that the security implications of having one db table basically allowing <totally arbitrary> RCE wasn't amazing, so I put a restriction that the resolved var at least needing to have been marked with ^:background-job
on its metadata
(defn handle-job!
[system job-type payload]
(let [function-var (requiring-resolve (symbol job-type))]
;; This is to make it so that if someone inserts an arbitrary job
;; by accident or malice, it isn't truly arbitrary code execution
;; like submitting "eval" as a background job.
(when-not (:background-job (meta function-var))
(throw (Exception.
(str "only functions marked as background jobs can be run. " job-type))))
(function-var system payload)))