Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Creating a Lambda Web Service

DZone's Guide to

Creating a Lambda Web Service

A discussion covering several different aspects of web development, such as web service endpoints, web application security, and open source code.

· Web Dev Zone ·
Free Resource

Deploying code to production can be filled with uncertainty. Reduce the risks, and deploy earlier and more often. Download this free guide to learn more. Brought to you in partnership with Rollbar.

A Lambda Web Service is something I doubt you have ever seen before, even though it is a highly interesting idea. It is a web service endpoint with "reversed responsibility." What I mean by that is that it's not the job of the web service to provide the code it is executing, but rather the responsibility of the client. Hence, the web service endpoint is simply given some code, which it executes using an "eval" construct.

What? This Is Insecure and Dangerous!

No, in fact, it's perfectly safe and secure! Depending upon which language you are using to implement the web service, and what constructs you have available in that language. I have created such a web service myself in Hyperlambda. It took me roughly 15-30 minutes, and it allows you to execute Hyperlambda on my server. Still, I doubt that you'd be able to execute malicious code since I use an overload of "eval" that allows me to use a (secure) subset of my server's vocabulary of "functions" and "keywords."

For instance, if you try to save a file, an exception will be raised, since the "function"[save-file] is not in my web service endpoint's list of "whitelisted keywords." If you try to select something from my database, an exception will be raised. This allows me to "whitelist" only those functions that I consider to be safe, and thus control what legal functions and keywords any consumer is legally allowed to use on my server. So even though any random visitor to my web service can literally execute code on my server this should pose no security risk for my server. In fact, I am so confident in that fact, that I have created a GUI for my web service endpoint, allowing anyone to execute their own code, on my server. Try it out below if you want to.

I want to emphasize, I spent 30 minutes creating the above web service, which is kind of the point. Because, arguably, this allows me to "externalize the cost" of consuming my web service to the clients that need to consume it for some reason. Making my job dead simple, while also arguably providing every single feature a web service endpoint might possibly need. In such a way, one single web service endpoint can easily replace thousands or millions of specialized web service implementations. In fact, below is 84 lines of code that have the capacity to replace every single web service endpoint you have ever written in your entire life! Below is a screenshot of its front-end.

Image title

In the above screenshot, you can see my code editor's AutoComplete dialogue. If I choose any of these keywords or functions, besides the 6 functions and keywords that are on my "whitelist," the execution will raise an exception. This allows me to whitelist only those API functions I happen to know for a fact are secure, preventing malicious coders from breaking into my server or somehow executing malicious code on it.

In my web service I have exposed 4 "keywords" and 2 "functions," allowing you to search through my Hyperlambda snippets database, and see what "snippets" I have there. Since these functions are using SQL parameters, this eliminates any risk in regards to SQL injection, or similar constructs. Basically, I can allow any random visitor to execute code on my web service, and I can do this without compromising my server's security!

Or download Phosphorus Five here. The latter allows you to play around with this construct on your own development machine. At which point you can use the following code to create a Hypereval "page" snippet, save it, and have your own Lambda web service endpoint.

/*
 * Creates our Web Service, both its GUI and its service implementation.
 */
p5.web.request.get-method
if:x:/-?value
  =:POST

  /*
   * Web Service invocation.
   *
   * Retrieving body of request, and executing it using [eval-whitelist],
   * and echoing the result of the execution to caller.
   */
  p5.web.request.get-body
  hyper2lambda:x:/-?value
  eval-whitelist:x:/-
    events
      set
      add
      src
      return
      hypereval.snippets.load
      hypereval.snippets.search
  lambda2hyper:-
  p5.web.echo:x:/-?value
  return


/*
 * Not a POST request, hence creating our Web Service's GUI.
 * Which contains a code editor, allowing the user to supply
 * his own code, for then to execute the code on my server.
 */
create-widget
  class:container
  oninit

    /*
     * Including Micro CSS file, serious skin, and fonts.
     */
    micro.css.include

  widgets
    div
      class:row
      widgets
        div
          class:col
          widgets
            h1
              innerValue:A Lambda Web Server

            /*
             * CodeMirror instance.
             */
            micro.widgets.codemirror:hyperlambda
              mode:hyperlambda
              auto-focus:true

            /*
             * Wrapper around our "execute Hyperlambda" button.
             */
            div
              class:right
              widgets
                button
                  innerValue:Execute
                  onclick

                    /*
                     * Retrieves code, executes it, and creates a modal window with
                     * the results of the execution.
                     */
                    micro.widgets.codemirror.get-value:hyperlambda
                    hyper2lambda:x:/-/*?value
                    eval-whitelist:x:/-
                      events
                        set
                        add
                        src
                        return
                        hypereval.snippets.load
                        hypereval.snippets.search

                    /*
                     * Displaying the result of execution.
                     *
                     * Hint; use [return] in your own code to have your
                     * invocation actually "return" something ...
                     */
                    eval-x:x:/+/*/*/*/*
                    create-widgets
                      micro.widgets.modal
                        widgets
                          pre
                            innerValue:x:/@eval-whitelist

84 lines of code, although heavily commented, arguably replacing every single web service endpoint you'd otherwise need.

And it even comes with a GUI front-end, to allow your consumers to play around with their code, before consuming it in their clients!

Deploying code to production can be filled with uncertainty. Reduce the risks, and deploy earlier and more often. Download this free guide to learn more. Brought to you in partnership with Rollbar.

Topics:
web service ,web dev ,endpoints ,web application security

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}