From 5deb4eac5b1c632e63a781300deaaf5a7756b942 Mon Sep 17 00:00:00 2001 From: Amr Gharbeia Date: Fri, 17 Apr 2026 16:30:25 -0400 Subject: [PATCH] fix(security): Harden Lisp reader against macro injection in reason loop --- literate/reason.org | 5 +++-- src/reason.lisp | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/literate/reason.org b/literate/reason.org index f2f39f8..9152991 100644 --- a/literate/reason.org +++ b/literate/reason.org @@ -69,8 +69,9 @@ The `think` function represents the "intuitive" side of the agent. It identifies ;; Ensure we are working with a string for read-from-string (cleaned (if (stringp thought) (string-trim '(#\Space #\Newline #\Tab) thought) thought))) (if (stringp cleaned) - (handler-case (read-from-string cleaned) - (error (c) (list :type :EVENT :payload (list :sensor :syntax-error :code cleaned :error (format nil "~a" c))))) + (let ((*read-eval* nil)) + (handler-case (read-from-string cleaned) + (error (c) (list :type :EVENT :payload (list :sensor :syntax-error :code cleaned :error (format nil "~a" c)))))) cleaned)) (list :type :LOG :payload (list :text (format nil "Skill '~a' triggered (Deterministic only)" (skill-name active-skill)))))) nil))) diff --git a/src/reason.lisp b/src/reason.lisp index 25d6a27..306bcc5 100644 --- a/src/reason.lisp +++ b/src/reason.lisp @@ -44,8 +44,9 @@ ;; Ensure we are working with a string for read-from-string (cleaned (if (stringp thought) (string-trim '(#\Space #\Newline #\Tab) thought) thought))) (if (stringp cleaned) - (handler-case (read-from-string cleaned) - (error (c) (list :type :EVENT :payload (list :sensor :syntax-error :code cleaned :error (format nil "~a" c))))) + (let ((*read-eval* nil)) + (handler-case (read-from-string cleaned) + (error (c) (list :type :EVENT :payload (list :sensor :syntax-error :code cleaned :error (format nil "~a" c)))))) cleaned)) (list :type :LOG :payload (list :text (format nil "Skill '~a' triggered (Deterministic only)" (skill-name active-skill)))))) nil)))