- From: Peter F. Patel-Schneider <pfpschneider@gmail.com>
- Date: Thu, 27 Apr 2017 08:26:21 -0700
- To: "public-rdf-shapes@w3.org" <public-rdf-shapes@w3.org>
SHACL-SPARQL can be used as a force multiplier for denial-of-service attacks using the SERVICE construct in SPARQL, even though SHACL states that the result of using the SERVICE construct is undefined in SHACL. This happens because SHACL-SPARQL can evaluate SPARQL queries many times with little computational effort in the SHACL-SPARQL implementation and its associated SPARQL implementation. If this query includes a SERVICE construct then many SERVICE requests can be generated with little effort, which may not trigger any limitations on the amount of work performed in response to a request. This is a new enabler of denial-of-service attacks, not present in SPARQL by itself. I reported the general problem with SERVICE in https://github.com/w3c/data-shapes/issues/73 but the working group recently labelled that as trivial and decided to close the issue. Peter F. Patel-Schneider Nuance Communications
Received on Thursday, 27 April 2017 15:26:57 UTC