Re: Security Concerns section added to Query_by_reference from Steve Harris on 2009-04-07 (public-rdf-dawg@w3.org from April to June 2009)

From: Steve Harris <steve.harris@garlik.com>
Date: Tue, 7 Apr 2009 14:57:35 +0100
To: Gregory Williams <greg@evilfunhouse.com>
Cc: RDF Data Access Working Group <public-rdf-dawg@w3.org>
Message-Id: <285F7823-CF13-4720-924D-86B0F8CAC732@garlik.com>

On 7 Apr 2009, at 14:35, Gregory Williams wrote:

> On Apr 7, 2009, at 8:01 AM, Steve Harris wrote:
>
>> OK, here's one example:
>>
>> Imagine a corporate system, inside a firewall, hosting a number of  
>> services, and a SPARQL endpoint. There's a hole/bridge through the  
>> firewall to allow outside people to connect to the SPARQL store and  
>> issue approved queries by reference.
>>
>> The systems inside the firewall are all in secure.example, eg.  
>> sparql.secure.example, and services1.secure.example.
>>
>> The SPARQL store is configured to only accept references from  
>> services1.secure.example, a machine that uses SPARQL to provide  
>> services.
>>
>> An attacker issues a request like ?query-ref=http://services1.secure.example/service/delete-all
>>
>> As far as the SPARQL endpoint is concerned, that's legitimate, so  
>> it might reasonably try and dereference that URI (which is  
>> obviously a bad idea to a human).
>
> I'm still not getting how this is different from using a "FROM <http://services1.secure.example/service/delete-all 
> >" clause in the SPARQL query? The underlying problem here seems to  
> me to be the existence of a HTTP GET operation that is deleting  
> data, and which could be triggered by a FROM clause, a query-ref  
> URI, or even a malicious webpage loaded from inside the firewall.  
> Surely any security measures you take with regard to FROM clauses  
> can be applied to query-ref URIs?

I never thought FROM was a good idea either :) I had the same concerns  
in the previous working group. I wouldn't find the "well, we've  
already let the genie out of the bottle" argument very convincing with  
regard to repeating the mistake.

Also, The wording of FROM makes it clear that you're not required to  
go an dereference anything. query-ref could do the same, but I'd  
rather we addressed these problems.

I would rather see something more like stored procedures, where  
clients supply the canned query directly.

- Steve

-- 
Steve Harris
Garlik Limited, 2 Sheen Road, Richmond, TW9 1AE, UK
+44(0)20 8973 2465  http://www.garlik.com/
Registered in England and Wales 535 7233 VAT # 849 0517 11
Registered office: Thames House, Portsmouth Road, Esher, Surrey, KT10  
9AD

Received on Tuesday, 7 April 2009 13:58:11 UTC