[Lispweb] CL-TAINT and friends
Alan Shields
Alan-Shields at omrf.ouhsc.edu
Fri Dec 23 17:25:46 CST 2005
Hello everyone,
Recently, while writing a web app, I wanted to keep the web app from
trusting the user. Actually, that's not exactly it: I kept noticing
myself parsing the user input over and over and over again in a certain
way.
I doubt I'm the only one.
So, I extended the small system I wrote for tainting values for
Araneida with a declarative construct that I think you might like/be
intersted in. Keep in mind that while Araneida integrates this, the code
is entirely separate (darcs repo at the end).
Let's say that you're receiving GET parameters X, Y, and Z. They should
all be integers or NIL.
(with-detaint ((integer x y z))
(format nil "x: ~S y: ~S z: ~S" x y z))
Does pretty much what you're looking for.
(with-detaint (((or integer 0) x y z))
(format nil "x: ~S y: ~S z: ~S" x y z))
If there's no integer, it returns 0.
Here's another common one: S should be a string, but if it's empty it
should be NIL.
(with-detaint ((nestring s))
(format nil "s: ~S" s))
And there you are.
There's a lot more to the library than that (symbols, pass through
filters, matchers, etc), and there's more to come.
I'd appreciate any input (besides "hook in regexps", which I already
plan to do), and keep in mind this is only the product of about 8 hours
work.
Enjoy,
Alan Shields
darcs repo: http://code.microarray.omrf.org/darcs/cl-taint/
docs: http://code.microarray.omrf.org/darcs/cl-taint/taint-doc.html
Araneida testing has this integrated already.
More information about the lispweb
mailing list