I'm handling a json string converted into a namespace. Here's a toy example to illustrate my concern: What if a malicious client POSTed this payload?
js←'{"foo": "bar", "⎕OFF": "bye"}' ⍝ this is what is POSTed by a client
ns←(⎕JSON ⍠'D')js ⍝ when the payload reaches my code it has been converted into a namespace
ns.(⍎¨⎕nl ¯2) ⍝ when validating, I sometimes use this technique. Is it safe?
This example actually returns
┌───┬───┐
│foo│bye│
└───┴───┘
but to really sleep a night, I'd like some more reassurance. Will name mangling always be enough?
I think you can rest assured that (⍎¨⎕nl ¯2) will always be safe, in the sense that it cannot result in "code injection": it can only return the values of the variables in the relevant namespace.
Having said that, we are working on better ways to both "dereference" and set variables without the use of execute. Execute is like shooting sparrows with a cannon, and always leaves you feeling a bit unsafe, no matter how long you think about it.
Adam Brudzewsky will be presenting his latest proposals for "Getting and Setting Variables" at the Dyalog'23 User Meeting in Elsinore, 15-19 October 2023, and a recording of that talk will be made available later this year.