Databases
StackOverflow2013
Postsdbo
PODo Lisp apps and webapps need special input sanitizing?
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PODo Lisp apps and webapps need special input sanitizing?
    primarykey
    data
    text
    <p><strong>EDIT 3</strong> Quite some new development have happened since I asked this question. Basically I wasn't "seeing things" and webapps written in Clojure have been found to be vulnerable, which prompted changes in Clojure 1.5 and <em>very</em> heated discussion on the Clojure Google groups. </p> <p>Here's a quote from someone on Hacker News about the changes in Clojure 1.5:</p> <blockquote> <p>Another slightly interesting thing is the sudden enhancement to read-eval and EDN[2]. That's mainly because of the rough weather Ruby/Rubygems was in with the YAML-exploits, which caused a heated discussion on how the Clojure reader should act by default.</p> </blockquote> <p>Holes have been found and it's too late to really fix Clojure, so <em>read-eval</em> shall still ship by default set to <em>true</em> (because otherwise it would break too many things). And anyone parsing inputs in Clojure should not use the default read functions but the EDN ones.</p> <p>So I certainly wasn't seeing things and it didn't take long (not even 18 months) for people to find ways to attack common Clojure webapp stacks.</p> <p><strong>EDIT 2</strong> I didn't know it but my question is a dupe of the following question (which has been described as a 'killer question'): <a href="https://stackoverflow.com/questions/3000193">Lisp data security/validation</a></p> <p>If anyone's interested in the answer(s) to this question, I'd suggest they open the above question and read the answers made there by Lisp gurus instead of the ones of the type <em>"nothing to see here, move along, it's just like PHP or JavaScript"</em>.</p> <p><strong>EDIT</strong>: I'd like to know if, somehow, because it is Lisp, it would be "easier" for an attacker to transform "data" (i.e. "crafted user input with a malicious intent") into "code". For example, do I need to escape/replace all the parentheses in the user input before starting to "evaluate" / parse or whatever the data?</p> <p><strong>Original question</strong></p> <p>I'm still reading about Lisp and suddenly I was wondering, with this entire "code is data" / "data is code" thing, do Lisp need to perform input sanitizing in order to prevent attacks?</p> <p>I was thinking specifically of webapps, say when a user does some HTTP POST.</p> <p>What if the data he's sending contains things like:</p> <pre><code>This is some malicious (eval '(nasty-stuff (...)) or whatever. </code></pre> <p><em>(I'm no Lisp programmer, it's just an example of what I've got in mind, it's not meant to be actually mean code)</em></p> <p>Is there anything special to keep in mind due to how Lisp works? For example if some dark-side hacker would know that some webserver is running on Clojure, can he exploit that fact and then inject "code between parentheses" that would then be evaluated on the webserver?</p> <p>Is this a concern at all when receiving/parsing user data (and hence potentially crafted data) from Lisp?</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USCommunity
    1. USCedric Martin
    plurals
    1. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. PODo Lisp apps and webapps need special input sanitizing?
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PODo Lisp apps and webapps need special input sanitizing?
      1. This table or related slice is empty.
      1. VTDownMod
    1. CO"Easier" is relatively meaningless when talking about exploits. As ObscureRobot correctly noted suspect everything or better still just don't `eval` user input. LISP is really not particularly special as Robot also noted.
      singulars
      1. PODo Lisp apps and webapps need special input sanitizing?
      1. USmsw
    2. COThere is hardly any reason to use eval in production code, unless you are providing an online evaluator.
      singulars
      1. PODo Lisp apps and webapps need special input sanitizing?
      1. USleppie
    3. CO@ObscureRobot: stop it...
      singulars
      1. PODo Lisp apps and webapps need special input sanitizing?
      1. USCedric Martin
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload