clojure-europe

For people in Europe... or elsewhere... UGT https://indieweb.org/Universal_Greeting_Time
dharrigan 2020-12-23T06:50:58.211500Z

Good Morning!

synthomat 2020-12-23T06:53:24.211800Z

Good mornin

dominicm 2020-12-23T08:02:53.211900Z

morning :)

slipset 2020-12-23T08:06:34.213200Z

@dominicm please don’t ask. Happened before I joined. Now we have to live with it.

dominicm 2020-12-23T08:12:53.213300Z

So far as I can tell, gremlin at least doesn't have exec() or anything like SQL has which would let them pwn you. But I'm sure vendor extensions might break that.

thomas 2020-12-23T08:19:44.213500Z

mogge

hequ 2020-12-23T08:25:26.213700Z

good morning!

2020-12-23T08:35:03.213900Z

Morning

raymcdermott 2020-12-23T08:41:43.214200Z

morning

borkdude 2020-12-23T08:52:44.214400Z

morning!

jasonbell 2020-12-23T08:54:04.214600Z

Morning

slipset 2020-12-23T09:34:59.215200Z

@dominicm let me tell you that vendor extensions has so much more than that….

dominicm 2020-12-23T09:35:50.216900Z

@slipset how do I become a customer? And do you have gpus attached in production or should I use a cpu-optimized crypto coin?

slipset 2020-12-23T09:36:18.217200Z

I’d go for the cpu-optimized one

slipset 2020-12-23T09:43:01.219500Z

@dominicm one of my best days at work was when I did a gremlin query which happened to contain System.exit(0) . That sparked a rather big re-architecture of our gremlin stuff.

😂 3
borkdude 2020-12-23T09:54:25.220100Z

That's one of the things some people use sci for: sandboxed execution without having access to System/exit etc.

slipset 2020-12-23T10:05:12.221100Z

@dominicm for your bitcoin business, you might want to consider targeting companies using mongo and clojure https://github.com/michaelklishin/monger/blob/master/src/clojure/monger/ring/session_store.clj#L87

dominicm 2020-12-23T10:14:01.221400Z

😱

dominicm 2020-12-23T10:14:14.221500Z

right, people need to get their shit together. This is not OK.

dominicm 2020-12-23T10:14:51.221800Z

Right, well, I won't be touching monger.

borkdude 2020-12-23T10:17:13.222500Z

Maybe make an issue there?

dominicm 2020-12-23T10:18:04.222600Z

Well, it's by definition an evaluating thing.

dominicm 2020-12-23T10:18:23.222700Z

There's some reduction of surface area, but any real fix would be deleting that code.

borkdude 2020-12-23T10:19:07.222900Z

what is the reason for evaluation there?

thomas 2020-12-23T10:19:48.223500Z

question... who controls the hostname part of a domain name? the www.http://example.com part of the domain name.

dominicm 2020-12-23T10:20:09.224100Z

@borkdude pre-edn I guess, maybe for trusted services.

thomas 2020-12-23T10:20:38.224700Z

I would like to have api.http://example.com on amazon, and www.http://example.com somewhere else.

dominicm 2020-12-23T10:20:39.224800Z

@thomas your dns admin? :)

dominicm 2020-12-23T10:20:58.225200Z

You can have those point to different places, no problem

thomas 2020-12-23T10:21:06.225600Z

yes, but they have no idea how to do that they say... rather strangely enough.

dominicm 2020-12-23T10:21:12.225800Z

If you'd like to manage one on AWS and one somewhere else.

borkdude 2020-12-23T10:21:13.225900Z

@thomas these are settings in your domain name provider admin panel

dominicm 2020-12-23T10:21:31.226200Z

Then what you're looking for is "NS delegation" which allows a sub-domain to delegate all it's DNS to a different server.

thomas 2020-12-23T10:21:38.226300Z

ok, let me see if I can get to that.

thomas 2020-12-23T10:21:42.226500Z

thank you all

dominicm 2020-12-23T10:22:21.226600Z

https://serverfault.com/questions/530415/what-is-dns-delegation SOA and NS is what you're looking for if you want AWS to be able to create http://foo.api.example.com, etc.

dominicm 2020-12-23T10:22:44.226800Z

I've used this with hosted zones a lot to create dev areas with terraform that don't have to worry about what they're a part of.

slipset 2020-12-23T10:30:44.227100Z

I think there is room for a Clojure based security firm

slipset 2020-12-23T10:31:59.227900Z

I’m sure there are other vulnerabilities out there. Anyone done a thorough check of friend or buddy?

slipset 2020-12-23T10:33:44.229200Z

@dominicm what’s the problem with the print-dup I see it’s printing with a reader-eval, but how do you exploit that (since it’s only printing a date?) https://github.com/michaelklishin/monger/issues/59

borkdude 2020-12-23T10:34:25.229800Z

@slipset re-defining print-dup for a type you don't own in a library is an anti-pattern

slipset 2020-12-23T10:34:57.230100Z

anti-patterns are different from security issues?

borkdude 2020-12-23T10:35:09.230300Z

true

borkdude 2020-12-23T10:35:30.230700Z

well, it could become a security issue if the print-dup does stuff you don't trust ;)

borkdude 2020-12-23T10:36:01.231300Z

but then again, libraries can launch missiles if you don't watch out, so once you use them, you pretty much own them

slipset 2020-12-23T10:36:33.232300Z

Right, so maybe @dominicm was more commenting on the quality of the library more than a security concern.

borkdude 2020-12-23T10:37:24.233Z

I've seen other people do this for serializing types. It's unfortunate that many multi-methods don't support a pluggable hierarchy

borkdude 2020-12-23T10:37:58.233500Z

The alternative would be to postwalk (or prewalk?) data yourself and not use print-dup

dominicm 2020-12-23T10:49:24.233800Z

@borkdude Yeah, I didn't like either of those things.

dominicm 2020-12-23T10:49:36.233900Z

Seeing the print-dup just made me extra grumpy :)

dominicm 2020-12-23T10:49:45.234Z

I'm on holiday so taking shots from the sofa is my thing now

dominicm 2020-12-23T11:00:53.234700Z

I guess, quick, use grasp to see how many libraries call read-string.

borkdude 2020-12-23T11:03:15.234900Z

yep, pretty easy to do

dominicm 2020-12-23T11:06:34.235Z

grasp . "#{'clojure.core/read-string}" am I doing it right? :)

borkdude 2020-12-23T11:06:57.235500Z

@dominicm Are you going to run this over the entire clojars?

borkdude 2020-12-23T11:07:41.236700Z

In that case I recommend using the JVM, since it's faster with lots of throughput. The spec: (g/seq 'read-string (s/+ any?))

slipset 2020-12-23T11:07:46.236800Z

.m2 would be a good start

slipset 2020-12-23T11:08:26.238Z

It’s only core/read-string that’s a problem edn/read-string should be safe.

borkdude 2020-12-23T11:08:55.238500Z

Just change this script: https://gist.github.com/borkdude/e6f0b12f9352f3375e5f3277d2aba6c9 It runs in 15 seconds over my entire .m2. Ok, for resolving to clojure.core/read-string, let me cook up a different spec.

dominicm 2020-12-23T11:09:08.238600Z

@borkdude ^ yeah, I was trying to do a fully-qualified clojure.core

borkdude 2020-12-23T11:09:40.238800Z

just a minute

slipset 2020-12-23T11:11:13.239300Z

I think what’s happening now is exactly why I love this channel.

slipset 2020-12-23T11:11:43.239600Z

I’m getting ready to submit some PR’s 🙂

dominicm 2020-12-23T11:12:38.239800Z

> I'm more of a problems than a solutions kinda person. don't pull me into your prs ;)

slipset 2020-12-23T11:13:05.240100Z

I never conflate.

slipset 2020-12-23T11:13:11.240300Z

nor complect

slipset 2020-12-23T11:13:15.240500Z

Not even in my PRs

dominicm 2020-12-23T11:14:32.241500Z

@borkdude how do you spec with a fully qualified var?

slipset 2020-12-23T11:15:19.242500Z

On more of a tangent. We use Hacker1 to constantly be pen-tested. Which is a lot better than being pen-tested once a year or something. But it’s still black-box pen testing. It would be interesting with a Clojure focussed white-box pen-testing company.

dominicm 2020-12-23T11:15:49.242600Z

@slipset are you not constantly pwned with that gremlin issue?

slipset 2020-12-23T11:16:11.242900Z

No, because we’ve rearchitetured.

dominicm 2020-12-23T11:16:36.243300Z

ah I see :)

borkdude 2020-12-23T11:17:01.243600Z

@dominicm @slipset Just run as bash script. https://gist.github.com/borkdude/57984ca1df6c3cf8f302196cb37b0f43

borkdude 2020-12-23T11:17:13.244100Z

In your .m2 for example

slipset 2020-12-23T11:17:21.244400Z

Each customer gets its own, sandboxed container which runs on 0.25 CPU and 1GB ram 🙂

slipset 2020-12-23T11:17:55.245300Z

So, bitcoin mining might not be so interesting, and they’re only capable of DOS’ing themselves.

borkdude 2020-12-23T11:18:28.245600Z

there may be some false positives. feel free to report them in the grasp repo

slipset 2020-12-23T11:19:17.246200Z

2:18 $ /tmp/find_read_str.clj
Missing required argument for "-M ALIASES"

borkdude 2020-12-23T11:19:24.246400Z

I think one problem currently is that it doesn't take into account :refer-clojure + exclude

slipset 2020-12-23T11:19:35.246900Z

maybe I’m on an old something

borkdude 2020-12-23T11:19:42.247100Z

@slipset yes, upgrade

borkdude 2020-12-23T11:21:46.247500Z

^Mjar:file:./repository/lein-shell/lein-shell/0.5.0/lein-shell-0.5.0.jar!/leiningen/shell.clj:42:20
(read-string lookup-str)
jar:file:./repository/nrepl/nrepl/0.4.5/nrepl-0.4.5.jar!/nrepl/core.clj:152:25
(read-string value)

slipset 2020-12-23T11:24:53.248400Z

That could’ve been a edn/read-string I guess.

slipset 2020-12-23T11:25:09.249Z

ooooo

borkdude 2020-12-23T11:25:23.249300Z

(this is an older version clj-http, this is probably fixed in a newer one)

borkdude 2020-12-23T11:25:53.249600Z

hmm, no it's still there

slipset 2020-12-23T11:26:19.249900Z

But it’s inside a *read-eval* false

slipset 2020-12-23T11:26:23.250100Z

So it’s ok.

borkdude 2020-12-23T11:26:50.250300Z

I guess

borkdude 2020-12-23T11:27:22.250800Z

ring core middleware cookies also has it, but I guess we already saw this one? or was it with monger?

slipset 2020-12-23T11:28:43.251400Z

THat was monger

borkdude 2020-12-23T11:29:06.251600Z

(fixed in: https://github.com/ring-clojure/ring/issues/53)

borkdude 2020-12-23T11:30:04.252Z

This file has lots of read-strings: https://github.com/cognitect-labs/aws-api/blob/master/src/cognitect/aws/shape.clj

borkdude 2020-12-23T11:30:19.252500Z

But there you go, a read-string analyzer ;)

2020-12-23T12:51:59.253400Z

👋 @david.russell

slipset 2020-12-23T13:09:52.254Z

A colleague!

borkdude 2020-12-23T13:19:11.254600Z

@slipset Is Ardoq a remote company or is Dave Russell from Norway?

Dave Russell 2020-12-23T13:27:10.255200Z

Hey folks! @borkdude I realized when you pointed me here that our interest in read-string must have come from the same place 😛

Dave Russell 2020-12-23T13:27:14.255400Z

I live in Norway

👋 3
borkdude 2020-12-23T13:42:31.256100Z

Welcome @kkasidiaris! 👋

orestis 2020-12-23T13:49:43.256500Z

Καλημέρα!

thomas 2020-12-23T14:16:13.258200Z

dang... suddenly it is becoming very popular here.... welcome!

p-himik 2020-12-23T14:32:20.258600Z

Καλημέρα. :) Was surprised to see Greek in here. I live in Cyprus myself now (although I'm not Greek myself).

pez 2020-12-23T14:33:53.259Z

Good morning!

🌅 1
orestis 2020-12-23T15:08:20.260700Z

There’s #clojure-greece with a few members but it’s usually quiet

p-himik 2020-12-23T15:12:17.260900Z

I imagine #clojure-cyprus would have only me. :D But that's OK. Maybe I'll join that one once I learn Greek to at least some extent. :)

2020-12-23T16:05:10.261100Z

surely a Καλημέρα in #clojure-greece a day would start to get things going

😄 1
orestis 2020-12-23T16:50:24.263500Z

I’m actually living in Denmark so perhaps I should go in #clojure-denmark

2020-12-23T18:20:20.263700Z

:why not both gif:

orestis 2020-12-23T18:37:17.265100Z

Christmas Break is finally here so I’ll try to stay away from phones and computers as much as possible. Happy holidays everyone and see you on the other side of the year :)

slipset 2020-12-23T18:39:32.265500Z

Happy holidays @orestis and thanks for airing your thoughts here!

slipset 2020-12-23T18:41:14.266100Z

I’m planning to look into deployment for clj-commons this Christmas.

slipset 2020-12-23T18:41:46.266700Z

My goal is to move it as much as possible off my computer and let circle take care of it.

pez 2020-12-23T19:15:37.267600Z

My plan for Christmas is to try improve Calva.

👍 1
5