Some developers are spreading vicious and incorrect rumours about Hyperlambda and Phosphorus Five on the internet. To combat these rumours, I thought I’d prove its security. The way I have chosen to do that, is to create a small page, allowing anonymous access to execute “eval” on my server. My intentions are to prove that developers sometimes mindlessly repeats dogmatic teachings, without understanding the context where they are relevant.
For instance, in Phosphorus Five and Hyperlambda “eval” is perfectly safe, if you use it correctly. This is because Hyperlambda has an “overload” of eval, which allows you to supply a list of legal Active Events to it, preventing the user from using insecure Active Events, that might produce dangerous side effects. This allows you to literally use [eval-whitelist] for some really interesting things, such as for instance creating “lambda web services”, where the client supplies the code to be executed, without compromising security. Of course, those spreading rumours about Phosphorus Five’s insecurity, simply “avoid adding this ‘tiny little detail'” as they are claiming “It’s insecure, it contains ‘eval’ all over the place”. This list of things they happen to exclude as they’re rambling on about Phosphorus Five’s “insecurity” is much longer too, but since this seems to be the “most dangerous thing about Phosphorus Five” – I thought if they can’t hack into it even though I have given them execute “eval” permissions, most other things they are claiming is probably not true either … 😉
You can find the app here. And you can also create HTTP POST requests towards the same URL, and provide your Hyperlambda as the body of your request, at which point the result of your execution will be returned back to your client. Below is the entire code that I used to create this page.
/* * Creates a Hyperlambda "eval" page. */ p5.web.request.get-method if:x:/-?value =:POST /* * Web Service invocation. * Retrieving body of request, and executing it using [eval-whitelist]. */ p5.web.request.get-body hyper2lambda:x:/-?value eval-whitelist:x:/- events set add src return hypereval.snippets.load hypereval.snippets.search lambda2hyper:x:/-/* p5.web.echo:x:/-?value return /* * Creates a default page, with a header and a paragraph. */ create-widget class:container oninit /* * Including Micro CSS file, serious skin, and fonts. */ micro.css.include widgets div class:row widgets div class:col widgets h1 innerValue:Hack my server challenge /* * CodeMirror instance. */ micro.widgets.codemirror:hyperlambda mode:hyperlambda auto-focus:true div class:right widgets button innerValue:Execute onclick /* * Retrieves code, executes it, and creates a modal window with * the results of the execution. */ micro.widgets.codemirror.get-value:hyperlambda hyper2lambda:x:/-/*?value eval-whitelist:x:/- events set add src return hypereval.snippets.load hypereval.snippets.search eval-x:x:/+/*/*/*/* create-widgets micro.widgets.modal widgets pre innerValue:x:/@eval-whitelist
Notice, you also have indirectly access to read from my MySQL database, since I have whitelisted a couple of the Hypereval “snippets” Active Events. If you can break into my server, using a security flaw in Phosphorus Five, I will publicly admit that Phosphorus Five is insecure, and allow you to fill an article at my blog, with whatever content you want to fill it with. I will basically allow you to write a blog at my website, spreading anything you want to inform my users about, related to Phosphorus Five, me, and my person. And I will link to that article with a bold “warning” from the project’s GitHub page, at the top of its README.md file.
I have only one criterion. Obviously I cannot guarantee that Linux, Ubuntu, MySQL, Apache, or any of the other software pieces my box is using are safe – Even though I am pretty confident in that also these projects are pretty safe, considering the amount of security additions Phosphorus Five applies to your Linux box, as it is being installed. However, I will ask of you that you use a security hole in Phosphorus Five, and not a hole in any of its supporting software, and that you prove you did, by handing me a reproducible, which I can use to verify you used a security hole in Phosphorus Five, and not one in Linux or Apache etc …
Good luck! 😉
Epilogue; The next time you hear a mindless dogmatic belief, try to ask yourself 2 questions.
- What’s the motive of those putting forth the claims
- What is the context of what they are saying
For instance, lots of users will attack Phosphorus Five for using a server-side salt when hashing its passwords. This is completely irrelevant for a system such as Phosphorus Five, since its intention is to be an enterprise web application framework, with probably never more than maximum a 1,000 registered users. This means that the statistical probability of having two passwords collide, is so small, that the added complexity of creating a “per user based salt”, only results in added complexity, arguably reducing its security.
Security is always about “beating the odds”. And to be able to apply security adequately, you need to understand the context and the reasons for why we do things the way we do. Simply “following best practices”, without understanding the reasons why these were created in the first place, actually reduces security – Instead of improving it …
I also want to emphasise that my linux box, has not added a single additional security concern, beyond what the default installation script of Phosphorus Five applies. Still, I am willing to bet my honour on that you won’t be able to penetrate it – At least not due to a security hole in Phosphorus Five!