Re: Followup to RC-4 from Paul Gearon on 2011-09-27 (public-rdf-dawg@w3.org from July to September 2011)

From: Paul Gearon <pgearon@revelytix.com>
Date: Tue, 27 Sep 2011 18:09:49 -0400
To: Steve Harris <steve.harris@garlik.com>
Cc: SPARQL Working Group <public-rdf-dawg@w3.org>
Message-ID: <CAOQ8B2ESaD5LDmXxOUJ=d_u=z8RiV2+_0oTkXcN7YZJk3gAp+w@mail.gmail.com>

On Tue, Sep 27, 2011 at 4:58 PM, Steve Harris <steve.harris@garlik.com> wrote:
> On 27 Sep 2011, at 19:25, Paul Gearon wrote:
>
>> I don't know the process for modifying a document after Last Call, so
>> I'm asking the list here.
>>
>> In Richard's email of RC-4 [1], he expresses concern that a harmful
>> update operation may be embedded in a query:
>>
>>> The risk is that a) users can be tricked into running harmful queries, and b) software that uses
>>> heuristics to detect queries with potential security impact will be less likely to work.
>>>
>>> This may have been ok in SPARQL 1.0, but with the addition of SPARQL UPDATE this is an unacceptable risk.
>>>
>>> I am surprised that the security issues arising from obfuscation through string escaping are not
>>> stated in the Security Considerations sections of SPARQL Query and SPARQL Update.
>>
>> Andy has adequately addressed this concern by pointing out that Query
>> and Update are two separate languages. However, since it is possible
>> for an implementation to offer both services at one endpoint, I think
>> it would be worthwhile explaining the risk in the "Security
>> Considerations (Informative)" section of SPARQL Update.
>>
>> My proposed text is:
>> ---
>> While SPARQL Update and SPARQL Query are separate languages, some
>> implementations may choose to offer both at the same SPARQL endpoint.
>> In this case, it is important to consider that an Update operation may
>> be obscured to masquerade as a query. For instance, a string of
>> unicode escapes in a PREFIX clause could be used to hide an Update
>> Operation. Therefore, simple syntactic tests are inadequate to
>> determine if a string describes a query or an update.
>> ---
>
> If the protocol is being used I believe it would be harder than that to exploit, if I'm reading it correctly that the parameter name is different
> http://www.w3.org/TR/sparql11-protocol/#update-operation
>
> Doesn't that mean that an update request looks like
>   http://host.example/?update=…
> as opposed to
>   http://host.example/?query=…
>
> - Steve

That's a good point.

The only case it might apply then would be for something like an HTML
form which has a query/update field. This is much less likely to be an
issue, and probably doesn't deserve special mention like I suggested.

Paul

Received on Tuesday, 27 September 2011 22:10:16 UTC