0

My Problem

I'm currently writing a REST-API which is supposed to take JSON requests and work with an intern library we use. The main usage will be to either run the server with a web interface or to possibly use another language to work with the API since Clojure isn't common elsewhere.

In order to achieve this, the JSON request contains data and a functionname, which is run with resolve, since I'm supposed to make it so that we don't have to change the API each time a function is added/removed.

Now the actual question is: How can I make sure the function I run combined with it's argument dosen't destroy the whole thing?

So, what did I try already?

Now, I've actually told only half the truth until now: I don't use resolve, I use ns-resolve. My first intuition was to create a seperate file which will load in all namespaces from the library, there's nothing malicious you could do with those. The problem is, I want only those functions and I'm not aware of any way to remove clojure.core functions. I could do a blacklist for those but whitelisting would be a whole lot easier. Not to mention I could never find all core functions I actually should be blacklisting.

The oher thing is the input. Again I've got a basic idea which is to sanitize the input to replace all sort of brackets just to make sure the input isn't other clojure code which would just bypass the namespace restriction from above. But would this actually be enough? I've got not much experience in breaking things.

Another concern I've heard is that some functions could run the input as argument long before intended. The server works with ring and its JSON extension. JSON should only give strings, numbers, booleans and nil as atomic data types. I conclude each possible malicious input should be a string at my end - besides resolve, is there any function which could have the side effect of running such input? Since they are string: Is there even a concern to be had with the data at all?

Improve this question
2
  • Unless you eval the inputs (assuming you mean basically the arguments for the function to resolve), there is no general concern. JSON represents plain data. But since you are already talking about sanitizing brackets (?), tt would really help if you could show an example of an request you plan to accept. Commented Oct 2, 2019 at 10:17
  • @cfrick The other input is just meant as the arguments for the function, that's right. The concern about the data arose since there is the possibility to just use a function which would eval data. The whitelisting approach seems to prevent this but I'd just like to make sure in case something is whitelisted which shouldn't be. Commented Oct 2, 2019 at 22:50

2 Answers 2

Reset to default
1

I would strongly advise to use a whitelisting approach for functions, and not to evaluate anything else.

You could maybe add a metadata flag to the exposed functions that you check where you resolve them.

Everything else should just be data; don't evaluate it.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Probably you want to look into the following:

  • How to determine public functions from a given namespace. This will give you a list of the valid functions names that your API can accept as part of the input. Here's a sample:
user=> (ns-publics (symbol "clojure.string"))
{ends-with? #'clojure.string/ends-with?, capitalize #'clojure.string/capitalize, reverse #'clojure.string/reverse, join #'clojure.string/join, replace-first #'clojure.string/replace-first, starts-with? #'clojure.string/starts-with?, escape #'clojure.string/escape, last-index-of #'clojure.string/last-index-of, re-quote-replacement #'clojure.string/re-quote-replacement, includes? #'clojure.string/includes?, replace #'clojure.string/replace, split-lines #'clojure.string/split-lines, lower-case #'clojure.string/lower-case, trim-newline #'clojure.string/trim-newline, upper-case #'clojure.string/upper-case, split #'clojure.string/split, trimr #'clojure.string/trimr, index-of #'clojure.string/index-of, trim #'clojure.string/trim, triml #'clojure.string/triml, blank? #'clojure.string/blank?}
  • You probably want to use the keys from the map above (in the namespace that applies to your use case) to validate the input, because you can "escape" the ns-resolve namespace if you fully qualify the function name:
user=> ((ns-resolve (symbol "clojure.string") (symbol "reverse")) "hello")
"olleh"

user=> ((ns-resolve (symbol "clojure.string") (symbol "clojure.core/reverse")) "hello")
(\o \l \l \e \h) ;; Called Clojure's own reverse, probably you don't want to allow this

Now, with that being said, I'm going to offer you some free advice:

I'm supposed to make it so that we don't have to change the API each time a function is added/removed

If you have watched some of Rich Hickey's talks you'll know that API changes are a sensible topic. In general you should think carefully before adding new functions or thinking of deleting any, because it sounds like your team is willing to cut corners on getting clients of the API together on the same page.

Unless your clients can discover dynamically what functions are available (maybe you'll expose some API?), it sounds like you will be open to receiving requests you cannot fulfill because the functions have changed or could be removed.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.