Re: [spec] Import vulnerabilities (#43) from Eric Prud'hommeaux via GitHub on 2022-02-02 (public-shex-dev@w3.org from February 2022)

From: Eric Prud'hommeaux via GitHub <sysbot+gh@w3.org>
Date: Wed, 02 Feb 2022 09:59:10 +0000
To: public-shex-dev@w3.org
Message-ID: <issue_comment.created-1027766958-1643795948-sysbot+gh@w3.org>

> > The import feature creates vulnerabilities similar to the JSON-LD remote context loading. In the case of JSON-LD, the document loader provides a means of avoiding accessing remote resources, although it's still come under a fair amount of criticism (See [w3c/json-ld-syntax#108](https://github.com/w3c/json-ld-syntax/issues/108) and [w3c/json-ld-api#14](https://github.com/w3c/json-ld-api/issues/14) for example).
> 
> I susepct that ShEx's issues are almost identical JSON-LD's issues (or owl:imports, or XInclude). Can we just crib your solution when you get there?

poking @gkellogg to see what we can steal from JSON-LD 1.1


> > * A malicious service can cause a stack-overflow by automatically creating nested documents.
> 
> Yeah, by having a language where IMPORTs can have IMPORTs, we have an exploitable recursion.

Come to think if it, that's pretty much the same as generating an infinite schema, modulo more per-request cost in non-pipelined HTTP connections.

I think the biggest vulnerability would have been to clients with a less-than-graceful handling of circular imports, but that's expicitly tested in [2RefS1-Icirc](https://github.com/shexSpec/shexTest/blob/7ccb8aaea5307c81ad474d905476c10d50d33917/validation/manifest.ttl#L15967-L15979), where [2RefS1-Icirc](https://github.com/shexSpec/shexTest/blob/7ccb8aaea5307c81ad474d905476c10d50d33917/schemas/2RefS1-Icirc.shex) circularly imports [2RefS1-Icirc](https://github.com/shexSpec/shexTest/blob/7ccb8aaea5307c81ad474d905476c10d50d33917/schemas/2RefS2-Icirc.shex) and [2RefS2-Icirc](https://github.com/shexSpec/shexTest/blob/7ccb8aaea5307c81ad474d905476c10d50d33917/schemas/2RefS1-Icirc.shex).


> > The spec should address this concern and/or provide mitigations. One area that JSON-LD may pursue in the future is the use of integrity checks (ala https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity).
> 
> Fascinating. We could implement that like:
> 
> ```
> IMPORT <http://important.example/hacked/schema> INTEGRITY "md5-1234"
> ```

Did JSON-LD ever provide any guidance like that?


-- 
GitHub Notification of comment by ericprud
Please view or discuss this issue at https://github.com/shexSpec/spec/issues/43#issuecomment-1027766958 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 2 February 2022 09:59:11 UTC