careful w/ edn injection

108 views
Skip to first unread message

Ignacio Thayer

unread,
Jul 11, 2014, 3:13:54 PM7/11/14
to clo...@googlegroups.com

we noticed this possibility of edn injection when mixing validated and
unvalidated data into a single edn blob. it's hard to exploit, and in
some sense it's obvious but i thought i'd share it since it caught us
off-guard and requires greater care than when serializing w/ json for
example.

Given a ring/compojure handler that mixes trusted/untrusted data into a map:

     (GET "/submit-op" []
          (fn [req]
            (let [;; BAD: Mix unvalidated user input w/ trusted data (is-admin)
                  request-info {:raw-user-input (keyword (-> req :query-params (get "operation")))
                                     :is-admin? false}
                  ;; Serialize it for a backend worker/task queue.
                  serialized (pr-str request-info)
                  ;; Just roundtrip it here for demonstration and print contents.
                  roundtripped (edn/read-string serialized)]
              (for [[k v] roundtripped]
                (lg/info "KEY[" k "]="v)))))


and the following request:

     /submit-op?operation=register%20:is-admin?%20true}

the trusted data is overwritten

     INFO  20140711 120431,062 rfz.web.routing ] KEY[ :raw-user-input ]= :register
     INFO  20140711 120431,063 rfz.web.routing ] KEY[ :is-admin? ]= true


if i missed something about this, i apologize. in any case, take care,
validate data (as always) and don't mix trusted and untrusted data in
a call to pr-str.

ignacio

James Reeves

unread,
Jul 11, 2014, 3:25:23 PM7/11/14
to clo...@googlegroups.com
Ring uses a post condition to guard against this:



(defn- ^String serialize [x]



  {:post [(= x (edn/read-string %))]}



  (pr-str x))

- James


--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clo...@googlegroups.com
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
clojure+u...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups "Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to clojure+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Ignacio Thayer

unread,
Jul 11, 2014, 3:41:18 PM7/11/14
to clo...@googlegroups.com
nice, that's a good way to check for this type of thing - ring only uses this in the Cookie implementation of SessionStore, is that right?

ignacio


You received this message because you are subscribed to a topic in the Google Groups "Clojure" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/clojure/lld5t6xT8o0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to clojure+u...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages