From 6024a9cc31bfe0901969bdfc36cc23981d01e6f2 Mon Sep 17 00:00:00 2001 From: James Reeves Date: Tue, 6 Aug 2013 16:45:30 +0100 Subject: [PATCH 1/2] Replace unsafe Clojure reader with safe EDN reader --- project.clj | 7 ++++--- src/taoensso/nippy.clj | 8 +++++--- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/project.clj b/project.clj index 7c22550..b29c190 100644 --- a/project.clj +++ b/project.clj @@ -3,9 +3,10 @@ :url "https://github.com/ptaoussanis/nippy" :license {:name "Eclipse Public License" :url "http://www.eclipse.org/legal/epl-v10.html"} - :dependencies [[org.clojure/clojure "1.4.0"] - [expectations "1.4.49"] - [org.iq80.snappy/snappy "0.3"]] + :dependencies [[org.clojure/clojure "1.4.0"] + [org.clojure/tools.reader "0.7.5"] + [expectations "1.4.49"] + [org.iq80.snappy/snappy "0.3"]] :profiles {:1.4 {:dependencies [[org.clojure/clojure "1.4.0"]]} :1.5 {:dependencies [[org.clojure/clojure "1.5.1"]]} :1.6 {:dependencies [[org.clojure/clojure "1.6.0-master-SNAPSHOT"]]} diff --git a/src/taoensso/nippy.clj b/src/taoensso/nippy.clj index 9a6a541..a1f4262 100644 --- a/src/taoensso/nippy.clj +++ b/src/taoensso/nippy.clj @@ -5,7 +5,9 @@ (:require [taoensso.nippy (utils :as utils) (compression :as compression :refer (snappy-compressor)) - (encryption :as encryption :refer (aes128-encryptor))]) + (encryption :as encryption :refer (aes128-encryptor))] + [clojure.tools.reader + (edn :as edn)]) (:import [java.io DataInputStream DataOutputStream ByteArrayOutputStream ByteArrayInputStream] [clojure.lang Keyword BigInt Ratio PersistentQueue PersistentTreeMap @@ -227,7 +229,7 @@ (let [type-id (.readByte s)] (utils/case-eval type-id - id-reader (read-string (read-utf8 s)) + id-reader (edn/read-string (read-utf8 s)) id-bytes (read-bytes s) id-nil nil id-boolean (.readBoolean s) @@ -262,7 +264,7 @@ (bigint (read-biginteger s))) ;;; DEPRECATED - id-old-reader (read-string (.readUTF s)) + id-old-reader (edn/read-string (.readUTF s)) id-old-string (.readUTF s) id-old-map (apply hash-map (utils/repeatedly-into [] (* 2 (.readInt s)) (thaw-from-stream s))) From 6caff3503ef23e7f9cd2540172bb964fcdb0bf70 Mon Sep 17 00:00:00 2001 From: James Reeves Date: Tue, 6 Aug 2013 16:59:04 +0100 Subject: [PATCH 2/2] Remove read-eval option made unnecessary by EDN reader --- src/taoensso/nippy.clj | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/src/taoensso/nippy.clj b/src/taoensso/nippy.clj index a1f4262..4b7cb7a 100644 --- a/src/taoensso/nippy.clj +++ b/src/taoensso/nippy.clj @@ -285,11 +285,8 @@ (defn thaw-from-stream! "Low-level API. Deserializes a frozen object from given DataInputStream to its original Clojure data type." - [data-input-stream & [{:keys [read-eval?]}]] - (if (identical? *read-eval* read-eval?) - (thaw-from-stream data-input-stream) - (binding [*read-eval* read-eval?] ; Expensive - (thaw-from-stream data-input-stream)))) + [data-input-stream] + (thaw-from-stream data-input-stream)) (defn- try-parse-header [ba] (when-let [[head-ba data-ba] (utils/ba-split ba 4)] @@ -300,11 +297,8 @@ (defn thaw "Deserializes a frozen object from given byte array to its original Clojure data type. Supports data frozen with current and all previous versions of - Nippy. For custom types extend the Clojure reader or see `extend-thaw`. - - WARNING: Enabling `:read-eval?` can lead to security vulnerabilities unless - you are sure you know what you're doing." - [^bytes ba & [{:keys [read-eval? password compressor encryptor legacy-opts readers] + Nippy. For custom types extend the Clojure reader or see `extend-thaw`." + [^bytes ba & [{:keys [password compressor encryptor legacy-opts readers] :or {legacy-opts {:compressed? true} compressor snappy-compressor encryptor aes128-encryptor} @@ -323,7 +317,7 @@ ba (if compressor (compression/decompress compressor ba) ba) stream (DataInputStream. (ByteArrayInputStream. ba))] - (thaw-from-stream! stream {:read-eval? read-eval?})) + (thaw-from-stream! stream)) (catch Exception e (cond @@ -461,8 +455,7 @@ :password nil})) (defn thaw-from-bytes "DEPRECATED: Use `thaw` instead." - [ba & {:keys [read-eval? compressed?] + [ba & {:keys [compressed?] :or {compressed? true}}] (thaw ba {:legacy-opts {:compressed? compressed?} - :read-eval? read-eval? :password nil})) \ No newline at end of file