Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kibit evaluates and runs code it parses with no option to disable it #235

Closed
irotem opened this issue Sep 23, 2019 · 1 comment · Fixed by #260
Closed

Kibit evaluates and runs code it parses with no option to disable it #235

irotem opened this issue Sep 23, 2019 · 1 comment · Fixed by #260

Comments

@irotem
Copy link

irotem commented Sep 23, 2019

Trying out kibit I found out it executes some of my code in my projects if for instance there is a form inside my code such as

#=(println "POC")

this happens because it is using clojure.tools.reader/read which is a unsafe way of reading edn code.

I tried fixing this by changing it to use clojure.tools.reader.edn but then some tests do not work and some weird behaviour occurs.

I think it is important to put in the readme a warning which says that running kibit on unverified code may execute code on the machine running it, in addition adding an option for safe checking the code in case someone wants to put kibit in their CI/CD pipeline in a secure way
@danielcompton
Copy link
Member

I'd take a docs patch for this at a minimum. I suspect that clojure.tools.reader.edn isn't going to do what we want, but would be open to suggestions if people can find a safe way to read the code.

@NoahTheDuke NoahTheDuke mentioned this issue May 15, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes and clean up NoahTheDuke/kibit
2 participants
@danielcompton @irotem