Re: Security Concerns section added to Query_by_reference from Steve Harris on 2009-03-25 (public-rdf-dawg@w3.org from January to March 2009)

From: Steve Harris <steve.harris@garlik.com>
Date: Wed, 25 Mar 2009 21:30:26 +0000
To: SPARQL Working Group <public-rdf-dawg@w3.org>
Message-Id: <368DE782-FDC1-48EC-A1D0-246D132EA984@garlik.com>

On 25 Mar 2009, at 15:30, Seaborne, Andy wrote:

> A practice-and-experience note.
>
> Queries that use FROM/FROM NAMED also cause servers to load data  
> from a remote reference and have the same serious issues.

There is a difference. The wording of FROM (8.2 Specifying RDF  
Datasets) is (deliberately IIRC) quite vague, and it doesn't  
explicitly require you to go and dereference a URI. For example we had  
a store that uses FROM NAMED to choose the, already loaded, graphs  
that will be used to answer the query, and that's legitimate from me  
reading of the spec.

- Steve

> In the Joseki example endpoint I run, there is an internal limit on  
> the size of the graph it will load (size by number of triples, the  
> number is quite low - the parsers stream and it counts the stream).  
> It only applies to data read in by URL, not if the query is on a  
> fixed dataset that the server already has.  It's not ideal but some  
> mechanism was needed, and, yes, it has been triggered and not just  
> occasionally.  There have requests to read in simply huge files by  
> HTTP GET.
>
> It also refuses to read "file:" URLs.
>
> Any SPARQL endpoint can reject a query for whatever reason it  
> chooses. Joseki provides a configuration option (per endpoint) to  
> reject queries with FROMN/FROM NAMED or the protocol equivalent, and  
> it is recommended to use that.
>
> So a processor can legitimately refuse to support any use  
> Feature:Query_by_reference.  If that might be common, the time spent  
> spec'ing isn't well spent IMHO.
>
> 	Andy
>
>> -----Original Message-----
>> From: public-rdf-dawg-request@w3.org [mailto:public-rdf-dawg-
>> request@w3.org] On Behalf Of Steve Harris
>> Sent: 25 March 2009 12:40
>> To: SPARQL Working Group
>> Subject: Security Concerns section added to Query_by_reference
>>
>> http://www.w3.org/2009/sparql/wiki/Feature:Query_by_reference
>>
>> In short, providing public systems that can trigger bigger external
>> requests than they receive is a serious security issue.
>>
>> - Steve
>>
>> --
>> Steve Harris
>> Garlik Limited, 2 Sheen Road, Richmond, TW9 1AE, UK
>> +44(0)20 8973 2465  http://www.garlik.com/
>> Registered in England and Wales 535 7233 VAT # 849 0517 11
>> Registered office: Thames House, Portsmouth Road, Esher, Surrey, KT10
>> 9AD
>>
>

-- 
Steve Harris
Garlik Limited, 2 Sheen Road, Richmond, TW9 1AE, UK
+44(0)20 8973 2465  http://www.garlik.com/
Registered in England and Wales 535 7233 VAT # 849 0517 11
Registered office: Thames House, Portsmouth Road, Esher, Surrey, KT10  
9AD

Received on Wednesday, 25 March 2009 21:31:04 UTC