Hi,
We are providing an cloud based application development environment with using the basex database. We want to allow developers can write xquery commands to access database but some security issues has appeared.
For example " file:list('c:/') " query returns the list of C:\ directory.
Is it possible to exclude some of modules from basex engine or is there any other way to execute query in sandbox environment which allows only FLWOR expressions and basic modules like "Math".
Scanning "file:" like prefixes may be a solution but maybe there is a better way to do it.
Thank you for help.
Hi Ertan,
There is a permission system in BaseX, pleae take a look at our documentation at https://docs.basex.org/wiki/User_Management
You can i.e. create an user with only read permission and this will forbid the execution of functionality, which requires higher privileges, i.e. file:list() requires create privileges and an execution would be impossible for an user with only read permissions.
Cheers, Dirk
On 08/27/2013 05:10 PM, Ertan Tike wrote:
Hi,
We are providing an cloud based application development environment with using the basex database. We want to allow developers can write xquery commands to access database but some security issues has appeared.
For example " file:list('c:/') " query returns the list of C:\ directory.
Is it possible to exclude some of modules from basex engine or is there any other way to execute query in sandbox environment which allows only FLWOR expressions and basic modules like "Math".
Scanning "file:" like prefixes may be a solution but maybe there is a better way to do it.
Thank you for help.
BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
basex-talk@mailman.uni-konstanz.de
-
Dirk Kirsten -
Ertan Tike