Leaving aside bugs, the intention with those parameters you mention (-lang, -reader, -compiled) is to help with security. They certainly would allow for code execution and they are off by default precisely because they allow that. I think that the general principle (read should, with the default parameter values, not evaluate any code) is one that is unlikely to change.
Robby On Sun, Feb 28, 2021 at 1:50 PM Ryan Kramer <[email protected]> wrote: > I want to send some Racket structs across a network. I know that I can use > prefab structs, serializable-structs, or even `eval` with a carefully > curated namespace. I was trying to think of security problems with the eval > approach and now I've become more afraid of `read` than I am of eval. And > read seems necessary for all 3 approaches. > > The first concern I thought of was cyclic data. My code assumes there are > no cycles; if an attacker can get me to process cyclic data my server will > probably loop forever or crash. This can be solved by setting > `read-accept-graph` to #f... I think. Right? (I guess another solution is > "you need to validate the input" which is fair, but it's easy to forget or > make a mistake.) > > This caused me to notice other `read-accept-***` parameters that looked > scary (-lang, -reader, -compiled). I don't know if there is an attack > vector here, but I felt safer turning them off also. > > Now I'm thinking that even if I can get it working safely today, Racket > would be well within its rights to make enhancements to the reader in the > future. So someday there might be new parameters that I would want to turn > off to preserve my definition of "safe", and I have to remember this when I > upgrade. > > All this makes me think that `read` is not quite the right tool for the > job. But it's close. If there were a version of read that accepts nothing > by default and requires the caller to opt-in to everything they want, that > would probably be perfect. > > I could use JSON or XML, but that just seems silly when you have a Racket > client talking to a Racket server. > > Are my concerns founded? Are there any existing solutions? Thanks for any > advice. > > -- > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/a2580765-3cc2-482b-8d20-f62dc1e1dc91n%40googlegroups.com > <https://groups.google.com/d/msgid/racket-users/a2580765-3cc2-482b-8d20-f62dc1e1dc91n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/CAL3TdOPu7ycrz%2BEMvUP9%2Bh%2BYn7d%2BOb4r8bfb6SJ3g_BxqLKJYQ%40mail.gmail.com.
