|
|
|
|
|
|
by butternoodle
1215 days ago
|
|
|
As a security guy I would say this situation happens with reasonable frequency in REST web frameworks where developers are encouraged to use ORMs[0], and the design of Hyperfiddle/Electric is no more likely to fall victim to it. I'd actually take a punt that it's less likely because of Clojure's data-orientation. Given that the above mentioned ORM-preferring frameworks typically have to define a whole new class and map the data from a server-side representation to a client-side representation, you're more likely to see developers not bother, forget or bungle the implementation aspect. What I'm interested in is how Electric Clojure handles mass assignment (unconstrained deserialization)[1], sort of the flip side of excessive data exposure. If an (e/server) s-exp uses the symbol `is-admin?` will the server respect or discard values for `is-admin?` sent from the client? [0] https://github.com/OWASP/API-Security/blob/master/2019/en/sr...
[1] https://github.com/OWASP/API-Security/blob/master/2019/en/sr... |
|
|