clojure-europe

For people in Europe... or elsewhere... UGT https://indieweb.org/Universal_Greeting_Time
dharrigan 2021-05-12T05:44:03.244400Z

Good Morning!

slipset 2021-05-12T05:44:16.244600Z

Morning!

djm 2021-05-12T06:15:38.244800Z

👋

pez 2021-05-12T06:29:40.245100Z

☀️

jasonbell 2021-05-12T07:55:40.245300Z

Morning

thomas 2021-05-12T07:59:27.245500Z

mogge

anthony-galea 2021-05-12T09:19:34.245700Z

Good morning

raymcdermott 2021-05-12T09:33:19.245900Z

morning

2021-05-12T09:43:01.246100Z

morning

ordnungswidrig 2021-05-12T10:01:18.246300Z

Good morning!

anthony-galea 2021-05-12T12:19:44.246700Z

I’m currently working on a Clojure codebase that makes quite heavy use of spec. Today the app crashes on me during a demo because I use brackets in a text field whose contents are used in an HTTP request to the backend. The regex doesn’t allow ‘(’

(def url-regex
  (re-pattern "(http|ftp|https)://[\\w-]+(\\.[\\w-]+)*([\\w.,@?^=%&:/~+#-]*[\\w@?^=%&/~+#-])?"))

(s/def ::url (s/and string? #(re-matches url-regex %)))
Now if I’m reading the spec correctly brackets are allowed:

anthony-galea 2021-05-12T12:19:54.247200Z

So now I could revise the regex to allow brackets, but is there value in keeping this spec at all?

anthony-galea 2021-05-12T12:20:02.247400Z

And perhaps more generally, has anyone had the experience that overspeccing ends up making a system more brittle than it has to be?

pez 2021-05-12T12:21:48.248600Z

As I work with the same project, I might add that the Uri component is first escaped using js/encodeURIComponent , then checked with that spec. 😃

2021-05-12T12:30:21.249Z

I would struggle to write a regexp that covered all valid URIs

pez 2021-05-12T12:44:00.250400Z

Seems like the URL spec there could help with it, but indeed, it is daunting anyway.

slipset 2021-05-12T12:54:00.251800Z

Expert answer is that “it depends”

slipset 2021-05-12T12:54:17.252500Z

What are the ramifications of someone fatfingering here?

jkxyz 2021-05-12T12:54:42.253Z

My version of a URI spec would be using java.net.URI or JS’s URL classes to parse the string, catch the error and return nil such that the spec fails when it’s unparseable

🙏 1
slipset 2021-05-12T12:55:24.253800Z

And what do you actually care about? Seems like you care about limiting your protocols to http(s) and ftp?

pez 2021-05-12T12:58:50.257300Z

@slipset Thing is that all that is provided by us, the user only provides a query string. We encode that string and build the URL. The result is then spec checked. I think it feels like we are specing js/encodeUriComponent, and also don’t feel like that is our responsibility.

slipset 2021-05-12T12:58:52.257500Z

I guess y’all seen the complete regex for emails? How much value does it bring to the table over just checking for a string that contains an @?

pez 2021-05-12T12:59:48.258300Z

We have had failures to register with our app because our email-regex was stopping valid email addresses too. 😃

slipset 2021-05-12T13:03:36.259300Z

So the user provides “/foo/bar/baz?lol” and based on that you create “http://wahtever.com/foo/bar/baz?lol” then I wouldn’t bother with the spec.

🙏 1
pez 2021-05-12T13:04:14.259700Z

The user provides lol, but yeah. 😃

pez 2021-05-12T13:58:55.262200Z

A perhaps stupid questions, regarding specs… Is anyone using fdefs in their unit test namespaces to instrument the functions under test there, instead of doing it where the functions are defined?

anthony-galea 2021-05-12T14:18:05.262600Z

Indeed, but also, given how the URL is being built it would be redundant to validate it anyways.

borkdude 2021-05-12T14:18:43.263700Z

@pez I’ve got a library for this, called re-speced

1
pez 2021-05-12T14:25:45.264500Z

Ah, that looks nice!

anthony-galea 2021-05-12T14:28:54.265900Z

Thanks for the feedback, I’ve seen a couple of situations were an app crashes unnecessarily because of a spec being too narrow, and so I’m questioning the very liberal use of specs throughout a codebase. I have found the guideline to “only spec what is necessary” useful. Wondering if other people have had similar experiences

ordnungswidrig 2021-05-12T14:56:15.267Z

Regarding mails: I’d verify for @ and a single dot in the host part. You maybe don’t want to support bang paths but who cares? #"\s.+@[^.]+\.[^.]+\s"

🙏 1
dharrigan 2021-05-12T15:21:39.267700Z

This reminded me of something that popped up on hacker news, I found the article <https://www.netmeister.org/blog/email.html>

dharrigan 2021-05-12T15:22:02.268200Z

There is a lot to email validation

👍 1
🙏 1
RAMart 2021-05-12T16:07:49.270500Z

@anthony-galea My rule of thumb: Spec vulnerable points of your system: E.g. where data enters or leaves (the outer shell), untrusted sources and the like. Loosen it for (core) layers which highly benefit from data flexibility.

👍 2
🙏 1
📏 1
dominicm 2021-05-12T20:50:51.273300Z

I really like how @weavejester tackled this: https://github.com/weavejester/valip/blob/master/src/valip/predicates.clj#L50-L65