Hi Jesse,
your setup sounds reasonable to me. All overly powerful functions and modules will indeed be rejected if the logged in user has not "create" or "admin" permissions; if not, it's a clear bug.
Your thoughts motivated me to add a new issue [1]: BaseX 7.8.2 will provide a third permission argument for the xquery:eval(uate) functions. This way, even admin users will be able to restrict permissions when evaluating a query string.
Cheers, Christian
[1] https://github.com/BaseXdb/basex/issues/884
On Tue, Mar 4, 2014 at 11:38 PM, Jesse Clark jesse@corengi.com wrote:
Hello all,
I have a project where I need to take 3rd party XQuery expressions and evaluate them in the context of a single xml document. The expressions are untrusted and I want to limit them to read-only and only allow them to access a single xml document being passed in as an external variable.
I read in the XQuery Module docs (http://docs.basex.org/wiki/XQuery_Module) that with the evaluate() command the evaluated query is prevented from opening new database.
I believe I could run the evaluate() call from a session connected as a read only user to prevent any update commands. Also, since I only want the evaluated expressions to be able to access a document declared as external I could, I believe, evaluate() from a session connected to an empty database as well.
However, would the evaluated expressions still be able to execute functions from other BaseX modules like, for example, proc:system()?
I know that in general using eval on untrusted code is a huge risk. Is there anyway to create a secure 'sandbox' for evaluating untrusted XQuery expressions?
Any advice would be greatly appreciated.
Thanks, -Jesse
BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk