nice, that's a good way to check for this type of thing - ring only uses
this in the Cookie implementation of SessionStore, is that right?
ignacio
On Fri, Jul 11, 2014 at 12:24 PM, James Reeves <ja...@booleanknot.com>
wrote:
> Ring uses a post condition to guard against this:
>
> (defn- ^String serialize [x]
>
> {:post [(= x (edn/read-string %))]}
>
> (pr-str x))
>
>
> - James
>
>
> On 11 July 2014 20:13, Ignacio Thayer <itha...@gmail.com> wrote:
>
>>
>> we noticed this possibility of edn injection when mixing validated and
>> unvalidated data into a single edn blob. it's hard to exploit, and in
>> some sense it's obvious but i thought i'd share it since it caught us
>> off-guard and requires greater care than when serializing w/ json for
>> example.
>>
>> Given a ring/compojure handler that mixes trusted/untrusted data into a
>> map:
>>
>> (GET "/submit-op" []
>> (fn [req]
>> (let [;; BAD: Mix unvalidated user input w/ trusted data
>> (is-admin)
>> request-info {:raw-user-input (keyword (-> req
>> :query-params (get "operation")))
>> :is-admin? false}
>> ;; Serialize it for a backend worker/task queue.
>> serialized (pr-str request-info)
>> ;; Just roundtrip it here for demonstration and print
>> contents.
>> roundtripped (edn/read-string serialized)]
>> (for [[k v] roundtripped]
>> (lg/info "KEY[" k "]="v)))))
>>
>>
>> and the following request:
>>
>> /submit-op?operation=register%20:is-admin?%20true}
>>
>> the trusted data is overwritten
>>
>> INFO 20140711 120431,062 rfz.web.routing ] KEY[ :raw-user-input ]=
>> :register
>> INFO 20140711 120431,063 rfz.web.routing ] KEY[ :is-admin? ]= true
>>
>>
>> if i missed something about this, i apologize. in any case, take care,
>> validate data (as always) and don't mix trusted and untrusted data in
>> a call to pr-str.
>>
>> ignacio
>> cto readyforzero.com
>>
>> --
>> You received this message because you are subscribed to the Google
>> Groups "Clojure" group.
>> To post to this group, send email to clojure@googlegroups.com
>> Note that posts from new members are moderated - please be patient with
>> your first post.
>> To unsubscribe from this group, send email to
>> clojure+unsubscr...@googlegroups.com
>> For more options, visit this group at
>> http://groups.google.com/group/clojure?hl=en
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Clojure" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to clojure+unsubscr...@googlegroups.com.
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
> You received this message because you are subscribed to the Google
> Groups "Clojure" group.
> To post to this group, send email to clojure@googlegroups.com
> Note that posts from new members are moderated - please be patient with
> your first post.
> To unsubscribe from this group, send email to
> clojure+unsubscr...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/clojure?hl=en
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "Clojure" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/clojure/lld5t6xT8o0/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> clojure+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups
"Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to clojure+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
