cch1 · June 23, 2021 19:57 · cch1 · Jun 23, 2021 · cch1 · Jun 23, 2021
diff --git a/template.clj b/template.clj
 (ns template
  (:require [clojure.edn :as edn]
            [clojure.string :as string]))

 ;; Tagged literals do not need to be limited to being represented by a single string.  Here we represent a value with a tuple of `magic` and `value`.
 (defn read-magic [[magic value]]
  (case magic
    :c (string/capitalize value)
    :l (string/lower-case value)
    :u (string/upper-case value)))

 ;; CH templates provided two "interpolation" mechanisms: EDN's tagged literals and arbitrary Clojure code execution.
 ;; 1. EDN tagged literals: by treating the template as an EDN data structure we can introduce a controlled set of tagged literals.
 ;; The set of tagged literals available is static at run time (introduced in the first arg to edn/read-string) but the reader
 ;; for each tagged literal can be as rich as we want -including closures (see tag `c).
 ;; 2. Code evaluation: *IFF* we control the template, we can ensure it is "safe" to evaluate as Clojure code.  This opens up
 ;; a world of complexity that should be carefully wielded.  A simple affordance might be to dynamically bind some
 ;; well-known local symbols like `tenant` or `user` to provide a substitution mechanism.  But be careful where these values (the
 ;; RHS of the binding pairs) comes from: strings read directly from HTTP query params (and possibly manipulated to cast them) are
 ;; safe because they cannot become s-expressions.
 (defn interpolate-template
  "Interpolate the edn serialized data `tstring` and evaluate with bindings provided by the `bindings` map"
  [tstring environment bindings]
  (let [bindings (mapcat identity bindings)
        readers {'magic read-magic 'c (fn [x] (str environment "-" x))} ; adding new tags is this easy
        template (edn/read-string {:readers readers} tstring)]
    (eval `(let [~@bindings] ~template))))

 (let [query-params {"tenant" "gra"}
      bindings {'user 23
                'tenant (keyword (get query-params "tenant" "gri")) ; this kind of binding injection is safe
                'z '(prn "Arbitrary code can sneak in as a binding value ... be careful where you source them!")}
      tstring "[tenant {:x 25 :user user :magic #magic [:u \"value\"]} (do (prn \"This is execution of arbitrary code in the template!\") 72) #c \"saas\"]"]
  (interpolate-template tstring "production" bindings))
	(ns template
	(:require [clojure.edn :as edn]
	[clojure.string :as string]))

	;; Tagged literals do not need to be limited to being represented by a single string. Here we represent a value with a tuple of `magic` and `value`.
	(defn read-magic [[magic value]]
	(case magic
	:c (string/capitalize value)
	:l (string/lower-case value)
	:u (string/upper-case value)))

	;; CH templates provided two "interpolation" mechanisms: EDN's tagged literals and arbitrary Clojure code execution.
	;; 1. EDN tagged literals: by treating the template as an EDN data structure we can introduce a controlled set of tagged literals.
	;; The set of tagged literals available is static at run time (introduced in the first arg to edn/read-string) but the reader
	;; for each tagged literal can be as rich as we want -including closures (see tag `c).
	;; 2. Code evaluation: IFF we control the template, we can ensure it is "safe" to evaluate as Clojure code. This opens up
	;; a world of complexity that should be carefully wielded. A simple affordance might be to dynamically bind some
	;; well-known local symbols like `tenant` or `user` to provide a substitution mechanism. But be careful where these values (the
	;; RHS of the binding pairs) comes from: strings read directly from HTTP query params (and possibly manipulated to cast them) are
	;; safe because they cannot become s-expressions.
	(defn interpolate-template
	"Interpolate the edn serialized data `tstring` and evaluate with bindings provided by the `bindings` map"
	[tstring environment bindings]
	(let [bindings (mapcat identity bindings)
	readers {'magic read-magic 'c (fn [x] (str environment "-" x))} ; adding new tags is this easy
	template (edn/read-string {:readers readers} tstring)]
	(eval `(let [~@bindings] ~template))))

	(let [query-params {"tenant" "gra"}
	bindings {'user 23
	'tenant (keyword (get query-params "tenant" "gri")) ; this kind of binding injection is safe
	'z '(prn "Arbitrary code can sneak in as a binding value ... be careful where you source them!")}
	tstring "[tenant {:x 25 :user user :magic #magic [:u \"value\"]} (do (prn \"This is execution of arbitrary code in the template!\") 72) #c \"saas\"]"]
	(interpolate-template tstring "production" bindings))