On Monday, September 2, 2013 8:10:10 PM UTC-6, Nelson Morris wrote:
Several of Yesod's responses to other items on the list are humorous in
there vagueness, but in my experience for clojure:
1.Injection: Done by JDBC's prepared statements, and clojure.jdbc's use
of them
2. XSS injection: Depends on templating. Hiccup requires explicit `(h
..)` calls. laser is escape by default. I am unsure about enlive,
clabango, or others.
3. Authentication Session Management: I've used friend for
authentication, and bcrypt for encryption. lib-noir has some functions
that use bcrypt, but I've not used it. Session management can be specified
by the :store given to wrap-session, and defaults to a in memory store. A
cookie store also exists that provides some protection against cookie
mutation. Immutant provides a store that can work across a cluster.
4. Insecure Reference: There is not a standard ORM or similar, so
handling only the correct parameters is up to you.
5. CSRF: ring-anti-forgery provides a way to add CSRF prevention tokens
6. Security Misconfiguration: This seems to be the domain of chef, pallet,
puppet, capistrano or another deployment tool. I'm not sure I want my
libraries to mess with deployments.
7. Insecure Cryptographic Storage: Use bcrypt. See 3.
8. Failure to Restrict URL access: I've used friend for authorization.
9. Insufficient Transport Layer Protection: I'd recommend letting your
front end server handle this and redirect to https. I believe lib-noir has
a middleware that will redirect from http to https if needed. Consider
passing `:secure true` to `wrap-cookies` if you have an https only site.
10. Unvalidated Redirects and Forwards: Url generation is a weakspot in a
compojure based setup. For comparison, pedestal-service wrote its own
routing dsl and stores the routes in a way that allows url generation based
on the context passed in.
I believe the use of many small libraries is what causes the lack of a
single spot for this documentation. I've picked up most of what I described
above by knowing the authors / what to google / asking + watching irc.
That does seem like an unfortunate situation for anyone new to have to
learn.
-
Nelson Morris
Thank you to Nelson for compiling this list. Since it was posted a number
of months ago, has anyone recently written or stumbled over a go-to site
for security in Clojure web/non-web apps? The clojure-sec group seems to be
dead, but let me know if we should take the thread over there.
-
Christopher Poile
--
You received this message because you are subscribed to the Google
Groups Clojure group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups
Clojure group.
To unsubscribe from this group and stop receiving emails from it, send an email
to clojure+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.