tags:

views:

241

answers:

2
+5  Q: 

Security implications of Clojure keyword creation from user data?

Suppose that I take a user-supplied string, userstring, and call (keyword userstring) on it.

Are there any security concerns about doing this? And if so, what would be the best way to mitigate them?

+4  A: 

Off the top of my head:

(keyword s) will create a non-namespaced keyword with name s regardless of whether such a keyword could be represented by a keyword literal. That could be a security concern if you were to print those keywords out as part of some configuration file, say, and then attempt to use it as trusted code:

(with-out-str (println (keyword "foo (println :bar)")))
; => :foo (println :bar)

Also, here are two threads of interest from the Google groups (the first one is from clojure-dev):

  1. Request for Improvement (with patch): non-interning keyword lookup

  2. Are keywords and symbols garbage-collected?

A summary: interning garbage keywords could be a memory leak, so you should consider doing some preprocessing on strings which you might intern if they come from untrusted sources.

Michał Marczyk  2010-05-19 21:17:02
Very helpful, thank you.
Rob Lachlan  2010-05-22 02:24:36
+3  A: 

Per http://clojure.org/reader, there are rules for which characters are valid in symbols and keywords. (For now, alphanumeric characters and *, +, !, -, _, and ?.) You should never create a symbol containing any other characters. However, right now, these rules are completely unenforced by the compiler.

At best you could end up with invalid keywords. At worst you could end up with evil/dangerous ones, as Michał Marczyk said. Keep in mind that #=() can be used to run arbitrary code at read-time, so you don't even have to evaluate a string for bad things to happen, you only have to read it.

(keyword "foo #=(steal-passwords-and-delete-hard-drive)")

(See (doc *read-eval*) for how to disable this behavior, but read-eval is enabled by default.)

I think general rules for sanitizing user input apply here. Define precisely what you want to allow, and disallow everything else by default. Maybe allow something like the regex #"[a-zA-Z0-9*+!-_?]+", with possibly other alphanumerics depending on the language you speak.

Brian Carper  2010-05-21 15:51:07
"#=() can be used to run arbitrary code at read-time, so you don't even have to evaluate a string for bad things to happen, you only have to read it." That I didn't know, thank you.
Rob Lachlan  2010-05-22 02:23:17

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security