rekado
commented
4 years ago This takes care of the most urgent issues of avoiding eval and comparing procedures against a white list, so that's a good change and should be merged.
There are a number of things that could be done to make this prettier, but this will do as a first pass.
Another thing that should be done is to limit lookups to known-good modules and not (current-module). This way you can use Guile's module system to restrict access instead of having to maintain a whitelist.
This change adds restrictions on the functions that can be executed in the JSON request and prevents from executing arbitrary functions.