Clojurians Log v2
clojure-europe
Good Morning!
Good mornin
morning :)
@dominicm please don’t ask. Happened before I joined. Now we have to live with it.
So far as I can tell, gremlin at least doesn't have exec() or anything like SQL has which would let them pwn you. But I'm sure vendor extensions might break that.
mogge
good morning!
Morning
morning
morning!
Morning
@dominicm let me tell you that vendor extensions has so much more than that….
@slipset how do I become a customer? And do you have gpus attached in production or should I use a cpu-optimized crypto coin?
I’d go for the cpu-optimized one
@dominicm one of my best days at work was when I did a gremlin query which happened to contain System.exit(0) . That sparked a rather big re-architecture of our gremlin stuff.
That's one of the things some people use sci for: sandboxed execution without having access to System/exit etc.
@dominicm for your bitcoin business, you might want to consider targeting companies using mongo and clojure https://github.com/michaelklishin/monger/blob/master/src/clojure/monger/ring/session_store.clj#L87
😱
right, people need to get their shit together. This is not OK.
Also, nope https://github.com/michaelklishin/monger/blob/master/src/clojure/monger/ring/session_store.clj#L63
Right, well, I won't be touching monger.
Maybe make an issue there?
Well, it's by definition an evaluating thing.
There's some reduction of surface area, but any real fix would be deleting that code.
what is the reason for evaluation there?
question... who controls the hostname part of a domain name? the www.http://example.com part of the domain name.
@borkdude pre-edn I guess, maybe for trusted services.
I would like to have api.http://example.com on amazon, and www.http://example.com somewhere else.
@thomas your dns admin? :)
You can have those point to different places, no problem
yes, but they have no idea how to do that they say... rather strangely enough.
If you'd like to manage one on AWS and one somewhere else.
@thomas these are settings in your domain name provider admin panel
Then what you're looking for is "NS delegation" which allows a sub-domain to delegate all it's DNS to a different server.
ok, let me see if I can get to that.
thank you all
https://serverfault.com/questions/530415/what-is-dns-delegation SOA and NS is what you're looking for if you want AWS to be able to create http://foo.api.example.com, etc.
I've used this with hosted zones a lot to create dev areas with terraform that don't have to worry about what they're a part of.
I think there is room for a Clojure based security firm
I’m sure there are other vulnerabilities out there. Anyone done a thorough check of friend or buddy?
@dominicm what’s the problem with the print-dup I see it’s printing with a reader-eval, but how do you exploit that (since it’s only printing a date?)
https://github.com/michaelklishin/monger/issues/59
@slipset re-defining print-dup for a type you don't own in a library is an anti-pattern
anti-patterns are different from security issues?
true
well, it could become a security issue if the print-dup does stuff you don't trust ;)
but then again, libraries can launch missiles if you don't watch out, so once you use them, you pretty much own them
Right, so maybe @dominicm was more commenting on the quality of the library more than a security concern.
I've seen other people do this for serializing types. It's unfortunate that many multi-methods don't support a pluggable hierarchy
The alternative would be to postwalk (or prewalk?) data yourself and not use print-dup
@borkdude Yeah, I didn't like either of those things.
Seeing the print-dup just made me extra grumpy :)
I'm on holiday so taking shots from the sofa is my thing now
I guess, quick, use grasp to see how many libraries call read-string.
yep, pretty easy to do
grasp . "#{'clojure.core/read-string}" am I doing it right? :)
@dominicm Are you going to run this over the entire clojars?
In that case I recommend using the JVM, since it's faster with lots of throughput.
The spec: (g/seq 'read-string (s/+ any?))
.m2 would be a good start
It’s only core/read-string that’s a problem edn/read-string should be safe.
Just change this script: https://gist.github.com/borkdude/e6f0b12f9352f3375e5f3277d2aba6c9 It runs in 15 seconds over my entire .m2. Ok, for resolving to clojure.core/read-string, let me cook up a different spec.
@borkdude ^ yeah, I was trying to do a fully-qualified clojure.core
just a minute
I think what’s happening now is exactly why I love this channel.
I’m getting ready to submit some PR’s 🙂
> I'm more of a problems than a solutions kinda person. don't pull me into your prs ;)
I never conflate.
nor complect
Not even in my PRs
@borkdude how do you spec with a fully qualified var?
On more of a tangent. We use Hacker1 to constantly be pen-tested. Which is a lot better than being pen-tested once a year or something. But it’s still black-box pen testing. It would be interesting with a Clojure focussed white-box pen-testing company.
@slipset are you not constantly pwned with that gremlin issue?
No, because we’ve rearchitetured.
ah I see :)
@dominicm @slipset Just run as bash script. https://gist.github.com/borkdude/57984ca1df6c3cf8f302196cb37b0f43
In your .m2 for example
Each customer gets its own, sandboxed container which runs on 0.25 CPU and 1GB ram 🙂
So, bitcoin mining might not be so interesting, and they’re only capable of DOS’ing themselves.
there may be some false positives. feel free to report them in the grasp repo
2:18 $ /tmp/find_read_str.clj
Missing required argument for "-M ALIASES"I think one problem currently is that it doesn't take into account :refer-clojure + exclude
maybe I’m on an old something
@slipset yes, upgrade
^Mjar:file:./repository/lein-shell/lein-shell/0.5.0/lein-shell-0.5.0.jar!/leiningen/shell.clj:42:20
(read-string lookup-str)
jar:file:./repository/nrepl/nrepl/0.4.5/nrepl-0.4.5.jar!/nrepl/core.clj:152:25
(read-string value)That could’ve been a edn/read-string I guess.
ooooo
(this is an older version clj-http, this is probably fixed in a newer one)
hmm, no it's still there
But it’s inside a *read-eval* false
So it’s ok.
I guess
ring core middleware cookies also has it, but I guess we already saw this one? or was it with monger?
THat was monger
(fixed in: https://github.com/ring-clojure/ring/issues/53)
This file has lots of read-strings: https://github.com/cognitect-labs/aws-api/blob/master/src/cognitect/aws/shape.clj
But there you go, a read-string analyzer ;)
A colleague!
@slipset Is Ardoq a remote company or is Dave Russell from Norway?
Hey folks! @borkdude I realized when you pointed me here that our interest in read-string must have come from the same place 😛
I live in Norway
Welcome @kkasidiaris! 👋
Καλημέρα!
dang... suddenly it is becoming very popular here.... welcome!
Καλημέρα. :) Was surprised to see Greek in here. I live in Cyprus myself now (although I'm not Greek myself).
Good morning!
There’s #clojure-greece with a few members but it’s usually quiet
I imagine #clojure-cyprus would have only me. :D But that's OK. Maybe I'll join that one once I learn Greek to at least some extent. :)
surely a Καλημέρα in #clojure-greece a day would start to get things going
I’m actually living in Denmark so perhaps I should go in #clojure-denmark
:why not both gif:
Christmas Break is finally here so I’ll try to stay away from phones and computers as much as possible. Happy holidays everyone and see you on the other side of the year :)
Happy holidays @orestis and thanks for airing your thoughts here!
I’m planning to look into deployment for clj-commons this Christmas.
My goal is to move it as much as possible off my computer and let circle take care of it.
My plan for Christmas is to try improve Calva.