Blog posts

Upgrading to Yesod 1.6

By James Parker - October 13, 2018

Yesod 1.6 was released in February of this year. This new version changes how subsites are implemented, which breaks most Yesod web applications. I did not find many good resources describing how to migrate web applications to 1.6, so I am documenting the steps I took to fix my website. It was not immediately obvious what changes needed to be made, so hopefully this is helpful for others.

My website was originally running on Stackage LTS 9.2, so I upgraded to LTS 12.2 by updating my stack.yaml file:

resolver: lts-12.2

Continue reading...

Email Header Injection in mime-mail

By James Parker - May 23, 2017

mime-mail is a Haskell library used to compose and render emails. It is typically used in server-side software to send automated emails or construct emails from user supplied inputs.

While working on a website where I was constructing emails with POST data supplied by the user, I discovered that the mime-mail package was vulnerable to a header injection vulnerability. When browsing mime-mail's source code, I noticed that email headers were not being sanitized before being rendered. This meant that an attacker could insert additional email headers by injecting CLRF (\r\n) characters between the malicious headers. As a result, attackers could control parameters including the From, To, Reply-To, CC, BCC, and Subject fields. Since the emails are sent from the website, attackers could use this vulnerability to send spam, phish users for credentials, leak private information, or deface the site.

We can demonstrate the vulnerability with ghci, Haskell's REPL:

Continue reading...

Handling Multiple POST Forms in Yesod

By James Parker - February 14, 2017

Yesod, a web framework for Haskell, provides convenient functionality that makes it simple to render and parse web forms. Unfortunately, it is not as elegant when it comes to implementing a POST handler that can process multiple web forms. This blog post presents one approach that simplifies the processing of multiple web forms in a single handler.

The first step to handling multiple POST forms is to use the identifyForm function. This function takes a string that uniquely identifies a given form and embeds a hidden field in the form (which is given as the second argument). When parsing a request’s POST data, if the hidden field’s identifier does not match the form’s unique identifier, parsing will return a FormMissing. This allows the request handler to parse other forms until one parses successfully. Here is an example of how to use identifyForm:

-- Data type for formA. 
data FormDataA = FormDataA Text

Continue reading...


Build it, Break it, Fix it

Build it, Break it, Fix it is a security-oriented programming contest where participants implement a program according to a given specification. In the first round, the contest infrastructure automatically grades submissions based on correctness and performance. In the second round, contestants are given each other's source code and submit attacks against other participants that demonstrate confidentiality and integrity vulnerabilities. The web application is written in Yesod, a Haskell web framework, and the backend uses Docker containers to test submissions.


PKAuth enables simple and secure logins by leveraging public key cryptography.


Deni Bertovic and I develop and maintain docker-hs, an API client for Docker written in Haskell.


LMonad is an Information Flow Control (IFC) framework for Haskell applications. It is in the style of LIO, but generalized to track information flow for any monad using a monad transformer.


tld is a Haskell library that separates subdomains, domains, and top-level-domains from URLs.


Understanding the How and the Why: Exploring Secure Development Practices through a Course Competition

Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS 22)

ANOSY: Approximated Knowledge Synthesis with Refinement Types for Declassification

Proceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation (PLDI 2022)

Balboa: Bobbing and Weaving around Network Censorship

Marc B. Rosen, James Parker, Alex J. Malozemoff
Proceedings of the 30th USENIX Security Symposium (USENIX 2021)

Verifying replicated data types with typeclass refinements in Liquid Haskell

Yiyun Liu, James Parker, Patrick Redmond, Lindsey Kuper, Michael Hicks, Niki Vazou
Proceedings of the ACM on Programming Languages, Volume 4 (OOPSLA 2020)

Build it, break it, fix it: Contesting secure development

ACM Transactions on Privacy and Security (TOPS 2020)

Understanding security mistakes developers make: Qualitative analysis from Build It, Break It, Fix It

Proceedings of the 29th USENIX Security Symposium (USENIX 2020)

LWeb: Information flow security for multi-tier web applications

Proceedings of the ACM on Programming Languages, Volume 3 (POPL 2019)

Build It, Break It, Fix It: Contesting Secure Development

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS 16)

Build It Break It: Measuring and Comparing Development Security

8th Workshop on Cyber Security Experimentation and Test (CSET 15)

LMonad: Information Flow Control for Haskell Web Applications

University of Maryland, Master's Thesis 2014

4D, N = 1 Supergravity Genomics

Isaac Chappell, Sylvester James Gates, Jr., William D. Linch III, James Parker, Stephen Randall, Alexander Ridgway, Kory Stiffler
Journal of High Energy Physics 2013 (10), 1-52

4D, N = 1 Supersymmetry Genomics (II)

Journal of High Energy Physics 2012 (6), 1-34

An Extended Detailed Investigation of First and Second Order Supersymmetries for Off-Shell N = 2 and N = 4 Supermultiplets

Symmetry 7 (2), 1080-1121

4D, N = 1 Supersymmetry Genomics (I)

Sylvester James Gates, Jr., James Gonzales, Boanne MacGregor, James Parker, Ruben Polo-Sherk, Vincent G.J. Rodgers, Luke Wassink
Journal of High Energy Physics 2009 (12), 008