Wrox Programmer Forums
Go Back   Wrox Programmer Forums > XML > XSLT
Reload this Page security on Xquery
|
XSLT General questions and answers about XSLT. For issues strictly specific to the book XSLT 1.1 Programmers Reference, please post to that forum instead.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the XSLT section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old May 7th, 2007, 04:32 AM
Authorized User
  
Join Date: Jul 2006
Posts: 54
Thanks: 0
Thanked 0 Times in 0 Posts
Default security on Xquery
Hi everyone,
           I'm working on a server-side application that has to process Xquery statements that come in HTTP GET requests.

i.e. http://www.example.com/Situation/con...uery=Situation[time<'2007-04-30T12:00:00']

Malicious or carelels clients could issue a complex query that takes very long to evaluate and therefore make my application unoperative.

I was wondering if there is any way to check out the query in order to determine the security risk they may cause.

Thanks for the help.


Tomi.
 
Old May 7th, 2007, 05:34 AM
mhkay's Avatar
Wrox Author
  
Join Date: Apr 2004
Posts: 4,962
Thanks: 0
Thanked 292 Times in 287 Posts
Default
It's not only denial of service threats you need to worry about: malicious queries can potentially use the doc() function to access files on your server, or call Java extension functions which make arbitrary changes to your system. The way you defend against such threats depends very much on the XQuery processor that you are using.

Michael Kay
http://www.saxonica.com/
Author, XSLT Programmer's Reference and XPath 2.0 Programmer's Reference
 
Old May 7th, 2007, 07:14 AM
Authorized User
  
Join Date: Jul 2006
Posts: 54
Thanks: 0
Thanked 0 Times in 0 Posts
Default
I'm using saxon.

The first idea that comes to my mind to tackle this problem is to create a regular expression that only allows some kind of querys.

i.e if(query.matches("(situation/*)) == true)
        //ok
    else
        //error

Is there any easier way(the regular expression is too complex) like configuring saxon so that only allows some kind of querys.

I would be pleased If you could send me any information about this matter or links where this is discussed.

Many thanks.

Tomi.
 
Old May 7th, 2007, 07:34 AM
mhkay's Avatar
Wrox Author
  
Join Date: Apr 2004
Posts: 4,962
Thanks: 0
Thanked 292 Times in 287 Posts
Default
With Saxon, the most important things are

(a) inhibit calls on external Java code, which can be done using Configuration.setAllowExternalFunctions(false)

(b) restrict use of the doc() function by writing a URIResolver which checks for the URIs you want to allow

There's no easy way to restrict the running time of the query at the Saxon level. There may be facilities in the application server or servlet container from which Saxon is run, I'm afraid I don't know. You could write a Saxon TraceListener that monitors the execution time, but it might add significant overhead, and it's not foolproof anyway since the long-running expression might be one that doesn't generate any trace events.

Using regular expressions or other syntactic restrictions on the query text doesn't seem a particularly effective approach to me. The relationship between query complexity and execution time is a very indirect one.

However, you might like to consider restricting the user to use XPath rather than XQuery. That would prevent them doing things like user-defined functions, which pose the risk of infinite recursion.

Michael Kay
http://www.saxonica.com/
Author, XSLT Programmer's Reference and XPath 2.0 Programmer's Reference





Similar Threads
Thread Thread Starter Forum Replies Last Post
Xalan v. Saxon and Xquery Camer XSLT 5 May 26th, 2009 12:44 PM
XQuery from command line Tomi XSLT 2 January 16th, 2008 01:58 PM
How to get a XQuery.msi ? goldensaying XML 1 December 13th, 2006 01:01 PM
Xquery storing all elements called 'id' ashcarrot XML 2 July 31st, 2006 07:47 AM
XQuery sonicDace XML 2 March 19th, 2004 05:45 PM




Contact Us - Wrox - Privacy Statement - Top

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.