This looks quite interesting. Isn’t the way Query params are used as the Env a possible vector for maliciousness though, e.g. overwriting existing relied-upon environment variables. Perhaps this could be alleviated by prefixing the query string parameter names when loaded as the environment (e.g. HTTP_FOO instead of FOO).
This is quite similar to the register_globals issue that PHP suffered for a long time with.
Yeah, this is pretty much just a simpler version of CGI. CGI uses QUERY_PARAMS to store the entire params. You make a good point though, can overload apps that are using something else. Although I’m not sure what you would gain since these are explicitly wired to webframework in config file.
Yeah, theoretically. but one of the assumptions Im using while running this for myself is that I’m not using pre-existing ENV vars in the executables I’m using. That can easily change tho, so thanks for bringing it up.
curl host:3000?FOO=';rm -rf *'False, sorry.
I was using raw shell input previously so there was an actual attack vector. I changed the code to make it more secure
[Comment removed by author]
They call it AWS Lambda ™ now.
Forgive me if I’m ignorant, why is this different to CGI?
CGI is an actual standard. This is just a quick hack I threw together to serve stand alone executables.
I’m making another version with a lower level execute command to mitigate shell attacks
https://github.com/tjgillies/unix-web/blob/master/src/server.cr#L11
There’s a shell injection attack in there, isn’t it?
https://github.com/tjgillies/unix-web/blob/master/src/server.cr#L7-L10
This looks quite interesting. Isn’t the way Query params are used as the Env a possible vector for maliciousness though, e.g. overwriting existing relied-upon environment variables. Perhaps this could be alleviated by prefixing the query string parameter names when loaded as the environment (e.g. HTTP_FOO instead of FOO).
This is quite similar to the
register_globalsissue that PHP suffered for a long time with.Yeah, this is pretty much just a simpler version of CGI. CGI uses QUERY_PARAMS to store the entire params. You make a good point though, can overload apps that are using something else. Although I’m not sure what you would gain since these are explicitly wired to webframework in config file.
Wouldn’t the gain be security/stability?
Yeah, theoretically. but one of the assumptions Im using while running this for myself is that I’m not using pre-existing ENV vars in the executables I’m using. That can easily change tho, so thanks for bringing it up.