Should collections be prevented from being used as functions?

[helins]

E.g.

({:a :b} :a) ; -> :b

This construct is quite typical in function programming and Clojure does it as well. However, in :callable? function, this can very easily lead to code injection. Something so dangerous should probably not be so easy. It might be wiser to entirely remove this capability.

[mikera]

The main argument I can see for keeping this is the convenience of allowing certain higher order functional programming constructs e.g.:

• A Set being passed as a predicate to a filtering operation
• A Map being passed as a lookup function

With some static analysis, it should be easy to see if an untrusted input is being used in a dangerous position like this, but I agree it is definitely a risk that people need to be aware of. Unclear I think if we should remove this feature or somehow add some extra protections.

[helins]

In my experience, I have seldom needed to use sets and maps like that, even in Clojure. It does happen but not often. Not to the point where we should feel compelled to optimize the language for if it can clearly lead to detrimental effects.

Passing (fn [x] (get m x)) is those rare situations seems a minor inconvenience in comparison to the disasters it might prevent.

Not decided yet but balancing towards removal so far 🤔

[mikera]

I think I'm leaning towards removal too. A bit too dangerous.... Code injection via data is a real risk equivalent to eval

Only slightly strange thing is what to do with keyword accessors which use the same pattern i.e. (:field some-map). Probably needs to be a compiler special case?