Re: "Safe Mode" processing for XSLT from Florent Georges on 2015-06-02 (xproc-dev@w3.org from June 2015)

From: Florent Georges <fgeorges@fgeorges.org>
Date: Tue, 2 Jun 2015 11:14:49 +0200
To: Conal Tuohy <conal.tuohy@gmail.com>
Cc: XProc Dev <xproc-dev@w3.org>
Message-ID: <CADyR_r0EPTbMr1oiFHTTzuiatE_RgVfsz4hhtjzPBf6LuTzLZA@mail.gmail.com>

  Hi,

  You'd probably want to disable xsl:result-document, processor's own
extension, the resolution not only of doc(), but also collection(),
xsl:include and xsl:import.  And once there, you would have to wait
for people to find a new, original new way to harm the system through
a new kind of injection, exploiting a specific limitation of the
processor, or just something you have not thought about disabling.

  Long story short: I think this is a very complex task, and I am not
sure it is possible at all to make any guarantee in that area.

  I guess the general good practice is: "never evaluate code sent to
you".  There are other ways to provide more flexibility to your
system, depending on what you want to achieve exactly.  If you really
want to provide this feature, I guess the best you can do is to ask
the question on Saxon's mailing list, and configure it yourself
underneath Calabash (or any other combination if you use another
processor).

  And if you do so, please share your results, there are a few
circumstances where evaluating a user-provided stylesheet is indeed
convenient :-)

  Regards,

-- 
Florent Georges
http://fgeorges.org/
http://h2oconsulting.be/

On 2 June 2015 at 09:19, Conal Tuohy wrote:
> I have been writing some web applications in XProc, using Calabash, and I've
> struck the issue that user-supplied (uploaded) XSLT transforms can present a
> security risk. Since XSLT is Turing complete it can provide a powerful
> extension mechanism for an XML-processing app, but you need to tightly
> control access to the web app itself unless you can run such XSLT in a
> sandbox.
>
> I had a vague but false memory that the p:xslt step had an option to enforce
> a kind of "safe mode". Alas it looks like wishful thinking.
>
> It seems to me that to perform secure XSLT processing one would need to be
> able to supply a URI resolver to prevent access to the local file system,
> and to disable any XSLT extension functions that might pose a risk, and
> perhaps even to enforce a timeout on XSLT execution.
>
> Has anyone implemented anything like this, either in Calabash or some other
> processor?
>
>
> Conal

Received on Tuesday, 2 June 2015 09:15:44 UTC