Security related question regarding clojure REPLs:
When people mention the cool features of clojure, one of the advantages they mention is the ability of opening a production REPL and doing hotfixes instantly. Was there ever a documented case of a production REPL being hacked? I imagine that would be the most game over situation for that company.
I鈥檓 asking this question because I鈥檓 curious if this is something you should account for when building your application. This includes things like scoping secret management so they are only available during component initialization and then they become only available inside the components scope so you can鈥檛 even access them through the REPL. I鈥檓 not sure if this is even possible, because you still have access to System/getenv .
apart from opening the port to attackers, bringing dependencies (like e.g. nrepl) into your app always brings security considerations with it. all code has possible vulnerabilities, especially code that is supposed to network with someone from the outside.
I've worked at places that had REPLs in production. If you are running in a container and the port is only accessible by some form of opening a secure tunnel, then you've reduced the security concerns to "are my developer machines secure?" which is the same state we typically apply (for better or worse) to database access or access to cloud services which give you equivalent levels of access. Where I work now we do not have REPL access but that's not for security reasons, it's because it's not practical with the tools we use for deployment. A side note - it's now possible to REPL over a UNIX socket instead of a network socket. If you are doing anything with the REPL, it's worth switch to this method if you can. A UNIX socket can have user and group permissions for access, which greatly reduces the attack surface.
I would definitely not bind it to anything else then localhost
I was part of a talk about hacking, and i swear, the person presenting gave me the impression 99.9% of "hack" attempts are so silly simple that i sincerely doubt they would understand or be able to use a repl connection. now, that being said, the 0.1% of time, when someone would understand that attack threat, and is able to get to it, i have this feeling they aren't trying to target you, for a variety of reasons. I think its good to be paranoid, but i feel like it's worth having security layers, and i think most general networking protecting layers would insulate us the repl itself being something that needed extra protection. Do people agree or is there something special that needs to be done for a repl?
Let me know if this question is better asked someplace else
If someone has a REPL it's game over. There's no way to hide something inside the process (e.g within a lexical scope).
I have a video on my youtube channel where I recover some data from a lexical scope by REPLing into a live app.
I'd say listen on localhost on an unusual port and test that it's not exposed outside of your machine. Then SSH port forward to access it on your dev machine.
NB: you MUST set the port explicitly. nREPL chooses a random port by default which in theory means it's just a question of time before it decides to listen to a port which is exposed to the internet.
Once a hacker has code execution he can dump your process memory, spawn a reverse shell, escalate privileges etc. It's over.
I am not aware of anyone getting hacked; they鈥檇 probably be embarrassed to tell even if it happened In terms of implementing one line of security measures, it鈥檚 relatively easy to allow access to a specific port only from specific IP addresses, for example, on AWS (and other clouds).
You can always observe good practice of least privilege for the user you use to run your program
And follow security hardening guidelines for your databases
But if someone is in your repl you're going to have a bad time. It would be about limiting their ability to persist in your environment and exfiltrate data