nice, that's a good way to check for this type of thing - ring only uses this in the Cookie implementation of SessionStore, is that right?
ignacio On Fri, Jul 11, 2014 at 12:24 PM, James Reeves <[email protected]> wrote: > Ring uses a post condition to guard against this: > > (defn- ^String serialize [x] > > {:post [(= x (edn/read-string %))]} > > (pr-str x)) > > > - James > > > On 11 July 2014 20:13, Ignacio Thayer <[email protected]> wrote: > >> >> we noticed this possibility of edn injection when mixing validated and >> unvalidated data into a single edn blob. it's hard to exploit, and in >> some sense it's obvious but i thought i'd share it since it caught us >> off-guard and requires greater care than when serializing w/ json for >> example. >> >> Given a ring/compojure handler that mixes trusted/untrusted data into a >> map: >> >> (GET "/submit-op" [] >> (fn [req] >> (let [;; BAD: Mix unvalidated user input w/ trusted data >> (is-admin) >> request-info {:raw-user-input (keyword (-> req >> :query-params (get "operation"))) >> :is-admin? false} >> ;; Serialize it for a backend worker/task queue. >> serialized (pr-str request-info) >> ;; Just roundtrip it here for demonstration and print >> contents. >> roundtripped (edn/read-string serialized)] >> (for [[k v] roundtripped] >> (lg/info "KEY[" k "]="v))))) >> >> >> and the following request: >> >> /submit-op?operation=register%20:is-admin?%20true} >> >> the trusted data is overwritten >> >> INFO 20140711 120431,062 rfz.web.routing ] KEY[ :raw-user-input ]= >> :register >> INFO 20140711 120431,063 rfz.web.routing ] KEY[ :is-admin? ]= true >> >> >> if i missed something about this, i apologize. in any case, take care, >> validate data (as always) and don't mix trusted and untrusted data in >> a call to pr-str. >> >> ignacio >> cto readyforzero.com >> >> -- >> You received this message because you are subscribed to the Google >> Groups "Clojure" group. >> To post to this group, send email to [email protected] >> Note that posts from new members are moderated - please be patient with >> your first post. >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/clojure?hl=en >> --- >> You received this message because you are subscribed to the Google Groups >> "Clojure" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google > Groups "Clojure" group. > To post to this group, send email to [email protected] > Note that posts from new members are moderated - please be patient with > your first post. > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/clojure?hl=en > --- > You received this message because you are subscribed to a topic in the > Google Groups "Clojure" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/clojure/lld5t6xT8o0/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to [email protected] Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
