Thanks everyone. I feel fine to use `read` for this use case now. I overlooked `call-with-default-reading-parameterization` which specifically mentions "reading from untrusted sources" so that is very reassuring.
On Sunday, February 28, 2021 at 3:36:29 PM UTC-6 John K wrote: > > > On Feb 28, 2021, at 2:50 PM, Ryan Kramer <default...@gmail.com> wrote: > > > […] > > > I could use JSON or XML, but that just seems silly when you have a Racket > client talking to a Racket server. > > Are my concerns founded? Are there any existing solutions? Thanks for any > advice. > > > I don’t think this necessarily answers your question, at least not > directly, but receiving code from a remote client is certainly a potential > security risk. > > Fortunately, Racket is well-adapted to writing (and parsing) a language > (DSL) inside of the language. > > Personally I’m a fan of object capability mechanisms. In Scheme and > Racket, some interesting places to start might be > > * Jonathan Rees’ Scheme-based “security kernel” paper: > http://mumble.net/~jar/pubs/secureos/secureos.html > * Marketplace by Tony Garnock-Jones: http://tonyg.github.io/marketplace/ > > Christoper Lemmer Webber (may be on this list even?) is working on > something called Spritely Goblins, an implementation, in Racket, of the > CapTP/VatTP protocols that were invented by Mark Miller and others in the E > language (http://www.erights.org/elib/capability/ode/ode-capabilities.html) > and now being used in Javascript/SES. > > * https://docs.racket-lang.org/goblins/index.html > > And finally, for serializing object (capabilities), the other piece of > relevant interesting work is CapnProto by Kenton Varda: > https://capnproto.org/ > > Have fun :) > > - johnk > > > -- > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to racket-users...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/a2580765-3cc2-482b-8d20-f62dc1e1dc91n%40googlegroups.com > > <https://groups.google.com/d/msgid/racket-users/a2580765-3cc2-482b-8d20-f62dc1e1dc91n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > > -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/cf2a07a1-adff-4a4b-9856-679c98c797cfn%40googlegroups.com.
