You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Users should be able to control which core/built-in predicates and "custom" predicates (reachable via fully qualified names) are accessible during queries. This will help to secure the execution of queries that are constructed by untrusted clients. This could be achieved via a new topology option with a set of names for the allowed functions.
If a user doesn't specify :fn-allow-list as an arg to the :crux/query-engine component, all functions are allowed
:fn-allow-list should contain a set of symbols
unqualified symbols should be assumed to be namespaces, all symbols from those namespaces should be allowed
qualified symbols should be assumed to be functions
strings should be conformed to symbols, for Java folks
should through a suitable crux.error error (probably IAE?) if a disallowed function is used in a query
queries should be checked at query plan time (so that the check can be cached - we shouldn't need to re-check them at query execution)
might be tempting, but clojure.core should not be a blanket exception to the rule - there're functions like spit and slurp which access more than they potentially should. (We could consider a built-in allow-list, or 'allow clojure.core but block some functions', if that's easier, but not a blanket allow)
The text was updated successfully, but these errors were encountered:
Users should be able to control which core/built-in predicates and "custom" predicates (reachable via fully qualified names) are accessible during queries. This will help to secure the execution of queries that are constructed by untrusted clients. This could be achieved via a new topology option with a set of names for the allowed functions.
:fn-allow-list
as an arg to the:crux/query-engine
component, all functions are allowed:fn-allow-list
should contain a set of symbolscrux.error
error (probably IAE?) if a disallowed function is used in a queryclojure.core
should not be a blanket exception to the rule - there're functions likespit
andslurp
which access more than they potentially should. (We could consider a built-in allow-list, or 'allow clojure.core but block some functions', if that's easier, but not a blanket allow)The text was updated successfully, but these errors were encountered: