Fwd: "Safe Mode" processing for XSLT from Achim Berndzen on 2015-06-03 (xproc-dev@w3.org from June 2015)

From: Achim Berndzen <achim.berndzen@xml-project.com>
Date: Wed, 3 Jun 2015 15:45:46 +0200
To: xproc-dev@w3.org
Message-Id: <E8BF610C-9119-40D8-AAD9-602089A5CD3E@xml-project.com>

> Anfang der weitergeleiteten Nachricht:
> 
> Von: Achim Berndzen <achim.berndzen@xml-project.com>
> Betreff: Aw: "Safe Mode" processing for XSLT
> Datum: 3. Juni 2015 15:44:20 MESZ
> An: Conal Tuohy <conal.tuohy@gmail.com>
> 
> Hello Conal,
> you are right: The security system of MorganaXProc is implemented for the whole pipeline running and allows you to select which resources can be accessed (and in which way). There is no possibility to configurate the security system for individual steps. May be I should think about that.
> 
> Greetings from Germany,
> Achim
> 
> ------------------------------------------------
> Achim Berndzen
> achim.berndzen@xml-project.com
> 
> http://www.xml-project.com
> 
> 
> 
> 
>> Am 03.06.2015 um 10:24 schrieb Conal Tuohy <conal.tuohy@gmail.com>:
>> 
>> To answer my own question about a "safe mode" for running user-contributed XSLT, it seems that MorganaXProc has a more general security system that could be used: http://www.xml-project.com/documentation/morgana-userguide/morgana-security/#safety
>> 
>> At first glance it looks like the Morgana "safe mode" applies too generally (in that it applies to an entire pipeline rather than just to a certain set of p:xslt steps), but in a web service environment, you could run a second instance of MorganaXProc, configured to be as safe as possible, and delegate any "safe mode" XSLT transformations to that service.
>> 
>> On 2 June 2015 at 17:19, Conal Tuohy <conal.tuohy@gmail.com> wrote:
>> I have been writing some web applications in XProc, using Calabash, and I've struck the issue that user-supplied (uploaded) XSLT transforms can present a security risk. Since XSLT is Turing complete it can provide a powerful extension mechanism for an XML-processing app, but you need to tightly control access to the web app itself unless you can run such XSLT in a sandbox.
>> 
>> I had a vague but false memory that the p:xslt step had an option to enforce a kind of "safe mode". Alas it looks like wishful thinking.
>> 
>> It seems to me that to perform secure XSLT processing one would need to be able to supply a URI resolver to prevent access to the local file system, and to disable any XSLT extension functions that might pose a risk, and perhaps even to enforce a timeout on XSLT execution.
>> 
>> Has anyone implemented anything like this, either in Calabash or some other processor?
>> 
>> 
>> Conal
>> 
>

Received on Wednesday, 3 June 2015 13:46:12 UTC