Hello all,
I have a project where I need to take 3rd party XQuery expressions and evaluate them in the context of a single xml document. The expressions are untrusted and I want to limit them to read-only and only allow them to access a single xml document being passed in as an external variable.
I read in the XQuery Module docs (http://docs.basex.org/wiki/XQuery_Module) that with the evaluate() command the evaluated query is prevented from opening new database.
I believe I could run the evaluate() call from a session connected as a read only user to prevent any update commands. Also, since I only want the evaluated expressions to be able to access a document declared as external I could, I believe, evaluate() from a session connected to an empty database as well.
However, would the evaluated expressions still be able to execute functions from other BaseX modules like, for example, proc:system()?
I know that in general using eval on untrusted code is a huge risk. Is there anyway to create a secure 'sandbox' for evaluating untrusted XQuery expressions?
Any advice would be greatly appreciated.
Thanks, -Jesse
Hi Jesse,
your setup sounds reasonable to me. All overly powerful functions and modules will indeed be rejected if the logged in user has not "create" or "admin" permissions; if not, it's a clear bug.
Your thoughts motivated me to add a new issue [1]: BaseX 7.8.2 will provide a third permission argument for the xquery:eval(uate) functions. This way, even admin users will be able to restrict permissions when evaluating a query string.
Cheers, Christian
[1] https://github.com/BaseXdb/basex/issues/884
On Tue, Mar 4, 2014 at 11:38 PM, Jesse Clark jesse@corengi.com wrote:
Hello all,
I have a project where I need to take 3rd party XQuery expressions and evaluate them in the context of a single xml document. The expressions are untrusted and I want to limit them to read-only and only allow them to access a single xml document being passed in as an external variable.
I read in the XQuery Module docs (http://docs.basex.org/wiki/XQuery_Module) that with the evaluate() command the evaluated query is prevented from opening new database.
I believe I could run the evaluate() call from a session connected as a read only user to prevent any update commands. Also, since I only want the evaluated expressions to be able to access a document declared as external I could, I believe, evaluate() from a session connected to an empty database as well.
However, would the evaluated expressions still be able to execute functions from other BaseX modules like, for example, proc:system()?
I know that in general using eval on untrusted code is a huge risk. Is there anyway to create a secure 'sandbox' for evaluating untrusted XQuery expressions?
Any advice would be greatly appreciated.
Thanks, -Jesse
BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
Jesse,
I invite you to check out the latest snapshot of BaseX [1], which provides better support for running sandbox queries: You can restrict both the permissions of a query and the maximum time it will be running. For example, the following query...
xquery:evaluate("(1 to 1000000000)[. = 0]", map {}, map { 'timeout': 1 })
...will be interrupted because it will (most probably) exceed the allowed execution time of 1 second. See [2] for more details.
Your feedback is welcome, Christian
[1] http://files.basex.org/releases/latest/ [2] http://docs.basex.org/wiki/XQuery_Module _________________________________
On Wed, Mar 5, 2014 at 3:00 AM, Christian Grün christian.gruen@gmail.com wrote:
Hi Jesse,
your setup sounds reasonable to me. All overly powerful functions and modules will indeed be rejected if the logged in user has not "create" or "admin" permissions; if not, it's a clear bug.
Your thoughts motivated me to add a new issue [1]: BaseX 7.8.2 will provide a third permission argument for the xquery:eval(uate) functions. This way, even admin users will be able to restrict permissions when evaluating a query string.
Cheers, Christian
[1] https://github.com/BaseXdb/basex/issues/884
On Tue, Mar 4, 2014 at 11:38 PM, Jesse Clark jesse@corengi.com wrote:
Hello all,
I have a project where I need to take 3rd party XQuery expressions and evaluate them in the context of a single xml document. The expressions are untrusted and I want to limit them to read-only and only allow them to access a single xml document being passed in as an external variable.
I read in the XQuery Module docs (http://docs.basex.org/wiki/XQuery_Module) that with the evaluate() command the evaluated query is prevented from opening new database.
I believe I could run the evaluate() call from a session connected as a read only user to prevent any update commands. Also, since I only want the evaluated expressions to be able to access a document declared as external I could, I believe, evaluate() from a session connected to an empty database as well.
However, would the evaluated expressions still be able to execute functions from other BaseX modules like, for example, proc:system()?
I know that in general using eval on untrusted code is a huge risk. Is there anyway to create a secure 'sandbox' for evaluating untrusted XQuery expressions?
Any advice would be greatly appreciated.
Thanks, -Jesse
BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
Hi Christian,
Thanks for adding the extra parameter to the eval functions. I will let you know if I run in to any issues as I start to implement functionality using that code.
Best, -Jesse
On Mar 6, 2014, at 1:45 PM, Christian Grün christian.gruen@gmail.com wrote:
Jesse,
I invite you to check out the latest snapshot of BaseX [1], which provides better support for running sandbox queries: You can restrict both the permissions of a query and the maximum time it will be running. For example, the following query...
xquery:evaluate("(1 to 1000000000)[. = 0]", map {}, map { 'timeout': 1 })
...will be interrupted because it will (most probably) exceed the allowed execution time of 1 second. See [2] for more details.
Your feedback is welcome, Christian
[1] http://files.basex.org/releases/latest/ [2] http://docs.basex.org/wiki/XQuery_Module _________________________________
On Wed, Mar 5, 2014 at 3:00 AM, Christian Grün christian.gruen@gmail.com wrote:
Hi Jesse,
your setup sounds reasonable to me. All overly powerful functions and modules will indeed be rejected if the logged in user has not "create" or "admin" permissions; if not, it's a clear bug.
Your thoughts motivated me to add a new issue [1]: BaseX 7.8.2 will provide a third permission argument for the xquery:eval(uate) functions. This way, even admin users will be able to restrict permissions when evaluating a query string.
Cheers, Christian
[1] https://github.com/BaseXdb/basex/issues/884
On Tue, Mar 4, 2014 at 11:38 PM, Jesse Clark jesse@corengi.com wrote:
Hello all,
I have a project where I need to take 3rd party XQuery expressions and evaluate them in the context of a single xml document. The expressions are untrusted and I want to limit them to read-only and only allow them to access a single xml document being passed in as an external variable.
I read in the XQuery Module docs (http://docs.basex.org/wiki/XQuery_Module) that with the evaluate() command the evaluated query is prevented from opening new database.
I believe I could run the evaluate() call from a session connected as a read only user to prevent any update commands. Also, since I only want the evaluated expressions to be able to access a document declared as external I could, I believe, evaluate() from a session connected to an empty database as well.
However, would the evaluated expressions still be able to execute functions from other BaseX modules like, for example, proc:system()?
I know that in general using eval on untrusted code is a huge risk. Is there anyway to create a secure 'sandbox' for evaluating untrusted XQuery expressions?
Any advice would be greatly appreciated.
Thanks, -Jesse
BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
basex-talk@mailman.uni-konstanz.de
-
Christian Grün -
Jesse Clark