I'm currently writing an application that accepts a series of Clojure forms and when they are evaluated, the results get returned in a list
so for example the input would be
(data "abc" :identifier)
(data "gee" :identifier)
(content "def" :identifier [1 2 3 4 5])
The functions in the backend basically just turn these into Clojure maps, e.g.
(defn data [text id]
{:text text :id id})
(defn content [text id cont]
{:text text :id id :cont cont})
The trouble is, the way that I am processing the code at the moment is by accepting the input with (-> input read-string eval)
and getting the contents accordingly. This is bad because anyone could just append a crafty (System/exit 1)
to the input and shutdown the JVM
Is there any way of 'whitelisting' the Clojure forms that can be executed in this step and blacklisting all of the nasty stuff? Or am I being too naive to use Clojure forms as a data input mechanism?
check out Clojail and its great video from the 2011 Clojure Conj!
you can interact with it on #clojure on irc.freenode.net and try to break through it if you would like :) goes by the handle lazybot. it is also used on 4clojure.org
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With