Creating a Lambda Web Service
Creating a Lambda Web Service
A discussion covering several different aspects of web development, such as web service endpoints, web application security, and open source code.
Join the DZone community and get the full member experience.Join For Free
Bugsnag monitors application stability, so you can make data-driven decisions on whether you should be building new features, or fixing bugs. Learn more.
A Lambda Web Service is something I doubt you have ever seen before, even though it is a highly interesting idea. It is a web service endpoint with "reversed responsibility." What I mean by that is that it's not the job of the web service to provide the code it is executing, but rather the responsibility of the client. Hence, the web service endpoint is simply given some code, which it executes using an "eval" construct.
What? This Is Insecure and Dangerous!
No, in fact, it's perfectly safe and secure! Depending upon which language you are using to implement the web service, and what constructs you have available in that language. I have created such a web service myself in Hyperlambda. It took me roughly 15-30 minutes, and it allows you to execute Hyperlambda on my server. Still, I doubt that you'd be able to execute malicious code since I use an overload of "eval" that allows me to use a (secure) subset of my server's vocabulary of "functions" and "keywords."
For instance, if you try to save a file, an exception will be raised, since the "function"[save-file] is not in my web service endpoint's list of "whitelisted keywords." If you try to select something from my database, an exception will be raised. This allows me to "whitelist" only those functions that I consider to be safe, and thus control what legal functions and keywords any consumer is legally allowed to use on my server. So even though any random visitor to my web service can literally execute code on my server this should pose no security risk for my server. In fact, I am so confident in that fact, that I have created a GUI for my web service endpoint, allowing anyone to execute their own code, on my server. Try it out below if you want to.
I want to emphasize, I spent 30 minutes creating the above web service, which is kind of the point. Because, arguably, this allows me to "externalize the cost" of consuming my web service to the clients that need to consume it for some reason. Making my job dead simple, while also arguably providing every single feature a web service endpoint might possibly need. In such a way, one single web service endpoint can easily replace thousands or millions of specialized web service implementations. In fact, below is 84 lines of code that have the capacity to replace every single web service endpoint you have ever written in your entire life! Below is a screenshot of its front-end.
In the above screenshot, you can see my code editor's AutoComplete dialogue. If I choose any of these keywords or functions, besides the 6 functions and keywords that are on my "whitelist," the execution will raise an exception. This allows me to whitelist only those API functions I happen to know for a fact are secure, preventing malicious coders from breaking into my server or somehow executing malicious code on it.
In my web service I have exposed 4 "keywords" and 2 "functions," allowing you to search through my Hyperlambda snippets database, and see what "snippets" I have there. Since these functions are using SQL parameters, this eliminates any risk in regards to SQL injection, or similar constructs. Basically, I can allow any random visitor to execute code on my web service, and I can do this without compromising my server's security!
Or download Phosphorus Five here. The latter allows you to play around with this construct on your own development machine. At which point you can use the following code to create a Hypereval "page" snippet, save it, and have your own Lambda web service endpoint.
/* * Creates our Web Service, both its GUI and its service implementation. */ p5.web.request.get-method if:x:/-?value =:POST /* * Web Service invocation. * * Retrieving body of request, and executing it using [eval-whitelist], * and echoing the result of the execution to caller. */ p5.web.request.get-body hyper2lambda:x:/-?value eval-whitelist:x:/- events set add src return hypereval.snippets.load hypereval.snippets.search lambda2hyper:- p5.web.echo:x:/-?value return /* * Not a POST request, hence creating our Web Service's GUI. * Which contains a code editor, allowing the user to supply * his own code, for then to execute the code on my server. */ create-widget class:container oninit /* * Including Micro CSS file, serious skin, and fonts. */ micro.css.include widgets div class:row widgets div class:col widgets h1 innerValue:A Lambda Web Server /* * CodeMirror instance. */ micro.widgets.codemirror:hyperlambda mode:hyperlambda auto-focus:true /* * Wrapper around our "execute Hyperlambda" button. */ div class:right widgets button innerValue:Execute onclick /* * Retrieves code, executes it, and creates a modal window with * the results of the execution. */ micro.widgets.codemirror.get-value:hyperlambda hyper2lambda:x:/-/*?value eval-whitelist:x:/- events set add src return hypereval.snippets.load hypereval.snippets.search /* * Displaying the result of execution. * * Hint; use [return] in your own code to have your * invocation actually "return" something ... */ eval-x:x:/+/*/*/*/* create-widgets micro.widgets.modal widgets pre innerValue:x:/@eval-whitelist
84 lines of code, although heavily commented, arguably replacing every single web service endpoint you'd otherwise need.
And it even comes with a GUI front-end, to allow your consumers to play around with their code, before consuming it in their clients!
Opinions expressed by DZone contributors are their own.