Re: Security Concerns section added to Query_by_reference from Steve Harris on 2009-04-07 (public-rdf-dawg@w3.org from April to June 2009)

From: Steve Harris <steve.harris@garlik.com>
Date: Tue, 7 Apr 2009 13:04:00 +0100
To: Axel Polleres <axel.polleres@deri.org>, RDF Data Access Working Group <public-rdf-dawg@w3.org>
Message-Id: <6F9AF27A-710E-41E1-A99A-D5175A47BC95@garlik.com>

On 7 Apr 2009, at 12:32, Axel Polleres wrote:

> Steve Harris wrote:
>> On 6 Apr 2009, at 17:45, Axel Polleres wrote:
>>> Let me understand: What is the difference in terms of security  
>>> issues between query-by-reference and queries using REST or SOAP  
>>> queries?
>> Well, there's the additional DOS problem that query-by-reference  
>> brings.
>>> The same concerns you seem to rise hold there... quite on the  
>>> contrary, it seems that only allowing queries-by-reference from a  
>>> particular namespace would be a security feature rather than a leak.
>> OK, here's one example:
>> Imagine a corporate system, inside a firewall, hosting a number of  
>> services, and a SPARQL endpoint. There's a hole/bridge through the  
>> firewall to allow outside people to connect to the SPARQL store and  
>> issue approved queries by reference.
>> The systems inside the firewall are all in secure.example, eg.  
>> sparql.secure.example, and services1.secure.example.
>> The SPARQL store is configured to only accept references from  
>> services1.secure.example, a machine that uses SPARQL to provide  
>> services.
>> An attacker issues a request like ?query-ref=http://services1.secure.example/service/delete-all
>> As far as the SPARQL endpoint is concerned, that's legitimate, so  
>> it might reasonably try and dereference that URI (which is  
>> obviously a bad idea to a human).
>
> Well, so what I don't get is... Why is that obviously a bad idea? If  
> it is within the legitimate queries stored in that namespace, then  
> is is an allowed one. There might be more sophisiticated blocking  
> mechanisms than "by namesspace" but that is imo outside our scope...  
> the endpoint may reject references by any (internal) reason. And how  
> is that different from the GET version

http://services1.secure.example/service/delete-all is not supposed to  
be a SPARQL query, but a service endpoint that performs some actions  
when it's dereferenced. I guess I didn't make that clear.

- Steve

-- 
Steve Harris
Garlik Limited, 2 Sheen Road, Richmond, TW9 1AE, UK
+44(0)20 8973 2465  http://www.garlik.com/
Registered in England and Wales 535 7233 VAT # 849 0517 11
Registered office: Thames House, Portsmouth Road, Esher, Surrey, KT10  
9AD

Received on Tuesday, 7 April 2009 12:04:37 UTC