- From: Florent Georges <fgeorges@fgeorges.org>
- Date: Tue, 2 Jun 2015 11:14:49 +0200
- To: Conal Tuohy <conal.tuohy@gmail.com>
- Cc: XProc Dev <xproc-dev@w3.org>
Hi, You'd probably want to disable xsl:result-document, processor's own extension, the resolution not only of doc(), but also collection(), xsl:include and xsl:import. And once there, you would have to wait for people to find a new, original new way to harm the system through a new kind of injection, exploiting a specific limitation of the processor, or just something you have not thought about disabling. Long story short: I think this is a very complex task, and I am not sure it is possible at all to make any guarantee in that area. I guess the general good practice is: "never evaluate code sent to you". There are other ways to provide more flexibility to your system, depending on what you want to achieve exactly. If you really want to provide this feature, I guess the best you can do is to ask the question on Saxon's mailing list, and configure it yourself underneath Calabash (or any other combination if you use another processor). And if you do so, please share your results, there are a few circumstances where evaluating a user-provided stylesheet is indeed convenient :-) Regards, -- Florent Georges http://fgeorges.org/ http://h2oconsulting.be/ On 2 June 2015 at 09:19, Conal Tuohy wrote: > I have been writing some web applications in XProc, using Calabash, and I've > struck the issue that user-supplied (uploaded) XSLT transforms can present a > security risk. Since XSLT is Turing complete it can provide a powerful > extension mechanism for an XML-processing app, but you need to tightly > control access to the web app itself unless you can run such XSLT in a > sandbox. > > I had a vague but false memory that the p:xslt step had an option to enforce > a kind of "safe mode". Alas it looks like wishful thinking. > > It seems to me that to perform secure XSLT processing one would need to be > able to supply a URI resolver to prevent access to the local file system, > and to disable any XSLT extension functions that might pose a risk, and > perhaps even to enforce a timeout on XSLT execution. > > Has anyone implemented anything like this, either in Calabash or some other > processor? > > > Conal
Received on Tuesday, 2 June 2015 09:15:44 UTC