Ring uses a post condition to guard against this:
(defn- ^String serialize [x]
{:post [(= x (edn/read-string %))]}
(pr-str x))
- James
On 11 July 2014 20:13, Ignacio Thayer <itha...@gmail.com> wrote:
>
> we noticed this possibility of edn injection when mixing validated and
> unvalidated data into a single edn blob. it's hard to exploit, and in
> some sense it's obvious but i thought i'd share it since it caught us
> off-guard and requires greater care than when serializing w/ json for
> example.
>
> Given a ring/compojure handler that mixes trusted/untrusted data into a
> map:
>
> (GET "/submit-op" []
> (fn [req]
> (let [;; BAD: Mix unvalidated user input w/ trusted data
> (is-admin)
> request-info {:raw-user-input (keyword (-> req
> :query-params (get "operation")))
> :is-admin? false}
> ;; Serialize it for a backend worker/task queue.
> serialized (pr-str request-info)
> ;; Just roundtrip it here for demonstration and print
> contents.
> roundtripped (edn/read-string serialized)]
> (for [[k v] roundtripped]
> (lg/info "KEY[" k "]="v)))))
>
>
> and the following request:
>
> /submit-op?operation=register%20:is-admin?%20true}
>
> the trusted data is overwritten
>
> INFO 20140711 120431,062 rfz.web.routing ] KEY[ :raw-user-input ]=
> :register
> INFO 20140711 120431,063 rfz.web.routing ] KEY[ :is-admin? ]= true
>
>
> if i missed something about this, i apologize. in any case, take care,
> validate data (as always) and don't mix trusted and untrusted data in
> a call to pr-str.
>
> ignacio
> cto readyforzero.com
>
> --
> You received this message because you are subscribed to the Google
> Groups "Clojure" group.
> To post to this group, send email to clojure@googlegroups.com
> Note that posts from new members are moderated - please be patient with
> your first post.
> To unsubscribe from this group, send email to
> clojure+unsubscr...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/clojure?hl=en
> ---
> You received this message because you are subscribed to the Google Groups
> "Clojure" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to clojure+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups
"Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to clojure+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
