Fwd: Security Concerns section added to Query_by_reference from Steve Harris on 2009-04-07 (public-rdf-dawg@w3.org from April to June 2009)

From: Steve Harris <steve.harris@garlik.com>
Date: Tue, 7 Apr 2009 13:01:52 +0100
To: RDF Data Access Working Group <public-rdf-dawg@w3.org>
Message-Id: <EE578424-36D5-4059-ABF1-E6595EE039C7@garlik.com>

Sent this reply direct to Axel by mistake.

- Steve

Begin forwarded message:

> From: Steve Harris <steve.harris@garlik.com>
> Date: 7 April 2009 09:54:14 BST
> To: Axel Polleres <axel.polleres@deri.org>
> Subject: Re: Security Concerns section added to Query_by_reference
>
> On 6 Apr 2009, at 17:45, Axel Polleres wrote:
>
>> Let me understand: What is the difference in terms of security  
>> issues between query-by-reference and queries using REST or SOAP  
>> queries?
>
> Well, there's the additional DOS problem that query-by-reference  
> brings.
>
>> The same concerns you seem to rise hold there... quite on the  
>> contrary, it seems that only allowing queries-by-reference from a  
>> particular namespace would be a security feature rather than a leak.
>
> OK, here's one example:
>
> Imagine a corporate system, inside a firewall, hosting a number of  
> services, and a SPARQL endpoint. There's a hole/bridge through the  
> firewall to allow outside people to connect to the SPARQL store and  
> issue approved queries by reference.
>
> The systems inside the firewall are all in secure.example, eg.  
> sparql.secure.example, and services1.secure.example.
>
> The SPARQL store is configured to only accept references from  
> services1.secure.example, a machine that uses SPARQL to provide  
> services.
>
> An attacker issues a request like ?query-ref=http://services1.secure.example/service/delete-all
>
> As far as the SPARQL endpoint is concerned, that's legitimate, so it  
> might reasonably try and dereference that URI (which is obviously a  
> bad idea to a human).
>
> You could add extra layers, like calling HEAD first to try and find  
> if the query reference endpoint is planning to return a SPARQL query  
> by mime type, but all those kinds of hacks are fraught with danger,  
> and heavily dependent on everything else being secure and well- 
> written.
>
> - Steve
>
> -- 
> Steve Harris
> Garlik Limited, 2 Sheen Road, Richmond, TW9 1AE, UK
> +44(0)20 8973 2465  http://www.garlik.com/
> Registered in England and Wales 535 7233 VAT # 849 0517 11
> Registered office: Thames House, Portsmouth Road, Esher, Surrey,  
> KT10 9AD

-- 
Steve Harris
Garlik Limited, 2 Sheen Road, Richmond, TW9 1AE, UK
+44(0)20 8973 2465  http://www.garlik.com/
Registered in England and Wales 535 7233 VAT # 849 0517 11
Registered office: Thames House, Portsmouth Road, Esher, Surrey, KT10  
9AD

Received on Tuesday, 7 April 2009 12:02:29 UTC