"Safe Mode" processing for XSLT from Conal Tuohy on 2015-06-02 (xproc-dev@w3.org from June 2015)

From: Conal Tuohy <conal.tuohy@gmail.com>
Date: Tue, 2 Jun 2015 17:19:33 +1000
To: XProc Dev <xproc-dev@w3.org>
Message-ID: <CAErBQuQfKaJwn2en+NuwVnMzZJks_PMr+9euy4J5DqS1q3PihQ@mail.gmail.com>

I have been writing some web applications in XProc, using Calabash, and
I've struck the issue that user-supplied (uploaded) XSLT transforms can
present a security risk. Since XSLT is Turing complete it can provide a
powerful extension mechanism for an XML-processing app, but you need to
tightly control access to the web app itself unless you can run such XSLT
in a sandbox.

I had a vague but false memory that the p:xslt step had an option to
enforce a kind of "safe mode". Alas it looks like wishful thinking.

It seems to me that to perform secure XSLT processing one would need to be
able to supply a URI resolver to prevent access to the local file system,
and to disable any XSLT extension functions that might pose a risk, and
perhaps even to enforce a timeout on XSLT execution.

Has anyone implemented anything like this, either in Calabash or some other
processor?


Conal

Received on Tuesday, 2 June 2015 07:20:20 UTC