Thanks everyone. I feel fine to use `read` for this use case now. I overlooked `call-with-default-reading-parameterization` which specifically mentions "reading from untrusted sources" so that is very reassuring.
On Sunday, February 28, 2021 at 3:36:29 PM UTC-6 John K wrote: > > > On Feb 28, 2021, at 2:50 PM, Ryan Kramer <[email protected]> wrote: > > > […] > > > I could use JSON or XML, but that just seems silly when you have a Racket > client talking to a Racket server. > > Are my concerns founded? Are there any existing solutions? Thanks for any > advice. > > > I don’t think this necessarily answers your question, at least not > directly, but receiving code from a remote client is certainly a potential > security risk. > > Fortunately, Racket is well-adapted to writing (and parsing) a language > (DSL) inside of the language. > > Personally I’m a fan of object capability mechanisms. In Scheme and > Racket, some interesting places to start might be > > * Jonathan Rees’ Scheme-based “security kernel” paper: > http://mumble.net/~jar/pubs/secureos/secureos.html > * Marketplace by Tony Garnock-Jones: http://tonyg.github.io/marketplace/ > > Christoper Lemmer Webber (may be on this list even?) is working on > something called Spritely Goblins, an implementation, in Racket, of the > CapTP/VatTP protocols that were invented by Mark Miller and others in the E > language (http://www.erights.org/elib/capability/ode/ode-capabilities.html) > and now being used in Javascript/SES. > > * https://docs.racket-lang.org/goblins/index.html > > And finally, for serializing object (capabilities), the other piece of > relevant interesting work is CapnProto by Kenton Varda: > https://capnproto.org/ > > Have fun :) > > - johnk > > > -- > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/a2580765-3cc2-482b-8d20-f62dc1e1dc91n%40googlegroups.com > > <https://groups.google.com/d/msgid/racket-users/a2580765-3cc2-482b-8d20-f62dc1e1dc91n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > > -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/cf2a07a1-adff-4a4b-9856-679c98c797cfn%40googlegroups.com.
