Hacker News new | ask | show | jobs
by jandrese 2930 days ago
Looking at the examples and thinking about how a C like program would process them, the S-Expressions look way more complex.

With JSON you know immediately what kind of datatype you are dealing with. You see a { you allocate an associative array, or if you see a [ you know you're about to get an ordered list. With S-Expressions it seems like you need to parse the entire thing and then figure out what kind of data structure you have.

In fact there doesn't appear to be any indicator at. Looking at 2.2.11.3 we see in the JSON that "messages" is an ordered list, but the content of the message is an associative array, but in the S-Expression they look identical.

So in C-like land you would end up with a big nested mess of arrays that are slow to parse and even harder to figure out the address of any object. There's a ton of friction that you don't have with JSON data.
1 comments
linschn 2930 days ago
When I need to parse or validate S-expressions, I just write the functions (here message, to, from, timestamp, etc.) so that eval()ing the S-expressions either validates it or returns whatever data structure I need.

So the easiest way would be to use or code a small lisp interpreter in C and eval the S-expression. For example, one could use Chicken Scheme to do so.

link
eropple 2930 days ago
Or we could...not...evaluate random code potentially coming from hostile environments. That would also be cool and good.

And, yes, it's possible to have vulnerabilities in a JSON parser--but it is orders of magnitude easier to have them in an arbitrary language parser.

link
linschn 2930 days ago
If you evaluate it in an environment where only the functions you choose are defined, the security risk is nil.

Validating a document is a complex, domain-dependant problem. It is far easier to create a secure Domain-Specific Language to handle this than to end up with an accidentally Turing complete abomination like XSLT: http://www.unidex.com/turing/utm.htm

link
krapp 2929 days ago
>If you evaluate it in an environment where only the functions you choose are defined, the security risk is nil.

Oh. So all you have to do is write perfectly secure code and run it in a perfectly secure environment, and nothing bad can possibly happen.

Well shit, why didn't anyone else ever think of that?

link
Sohcahtoa82 2930 days ago
> When I need to parse or validate S-expressions, I just write the functions (here message, to, from, timestamp, etc.) so that eval()ing the S-expressions either validates it or returns whatever data structure I need.

facepalm

As soon as you've decided to call an eval() function on potentially untrusted data, you've lost to an attacker.

link