On Tue, Apr 9, 2013 at 6:03 PM, rebcabin <bc.beck...@gmail.com> wrote:
> Hello -- I would like to use Clojure to build a safe code-remoting > application for query injection (moving queries closer to the data for > affinity and privacy). One alternative for this application is to read > Clojure code from strings WITHOUT evaluating it, then analyze the presented > code and / or eval it with a custom eval function in a sandbox. It's easier > to do this in Clojure than in JavaScript because it's easier to write a > custom eval in Clojure than in JavaScript. > > One problem with my plan is that the #= reader macro evaluates the code at > read-time, before I have a chance to analyze or sandbox it. The workarounds > seem to be disabling or removing the #= reader macro or writing my own > custom reader (in addition to a custom evaluator). > > I'd be grateful for guidance and advice. > #= was an issue that was addressed in Clojure 1.5. (Though you should use 1.5.1 which fixes a memory leak). The read and read-string [1] functions have always been controllable by setting *read-eval* [2] to nil or false to disable the eval-reader. However, in Clojure 1.4 and below, this still allowed execution of record and class constructors, which probably isn't desired. In Clojure 1.5.1 setting *read-eval* to nil or false should (I think) disable all eval-on-read facilities. (Though I'd get a second opinion on that before relying on it) Clojure 1.5.1 also brought the new clojure.edn [3] namespace, which provide safe reading of clojure data structures as data, but doesn't support all of the features of the reader that might be used in code. For your usage, it sounds like this might be unsuitable. [1] http://clojure.github.io/clojure/clojure.core-api.html#clojure.core/read-string [2] http://clojure.github.io/clojure/clojure.core-api.html#clojure.core/*read-eval* [3] http://clojure.github.io/clojure/clojure.edn-api.html -- -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
