Re: [spec] Import vulnerabilities (#43) from Eric Prud'hommeaux via GitHub on 2021-09-23 (public-shex-dev@w3.org from September 2021)

From: Eric Prud'hommeaux via GitHub <sysbot+gh@w3.org>
Date: Thu, 23 Sep 2021 09:23:22 +0000
To: public-shex-dev@w3.org
Message-ID: <issue_comment.created-925642870-1632389000-sysbot+gh@w3.org>

> The import feature creates vulnerabilities similar to the JSON-LD remote context loading. In the case of JSON-LD, the document loader provides a means of avoiding accessing remote resources, although it's still come under a fair amount of criticism (See [w3c/json-ld-syntax#108](https://github.com/w3c/json-ld-syntax/issues/108) and [w3c/json-ld-api#14](https://github.com/w3c/json-ld-api/issues/14) for example).

I susepct that ShEx's issues are almost identical JSON-LD's issues (or owl:imports, or XInclude). Can we just crib your solution when you get there?


> * A man-in-the middle attack could cause different systems to receive different documents at different times.
> * Accessing the remote resource presents an opportunity to track usage and leak intention.
> * Routinely accessing remote resources can place a burden on the host (e.g., schema.org)

I think these three vulnerabilities are the same as for dereferencing the initial document (be it a schema, JSON-LD doc, OWL ontology). Web Arch caveat emptor?

> * There is no facility for embedded use to avoid the remote lookup.

I think embedding could help efficient caching of mutable resources but you'd never want the embedded form to trump the dereferenced. If you want the embedded form to win, you don't need the IMPORT (or @context dereference).

> * A malicious service can cause a stack-overflow by automatically creating nested documents.

Yeah, by having a language where IMPORTs can have IMPORTs, we have an exploitable recursion.

> The spec should address this concern and/or provide mitigations. One area that JSON-LD may pursue in the future is the use of integrity checks (ala https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity).

Fascinating. We could implement that like:

``` shex
IMPORT <http://important.example/hacked/schema> INTEGRITY "md5-1234"
```

-- 
GitHub Notification of comment by ericprud
Please view or discuss this issue at https://github.com/shexSpec/spec/issues/43#issuecomment-925642870 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 23 September 2021 09:23:25 UTC