The Jena GRDDL Reader

Background

GRDDL specifies that some files retrieved from the Web should be interpreted as XSLT and executed in the client machine. As with any technology involving the local execution of untrusted programs, particularly in a programming language which supports both local and remote input/output operations, there is a potential risk of malicious code.

Legal

The reader is reminded that the Jena GRDDL Reader is distributed under the Jena License terms. Nothing in the documentation, including this file, should be read, as granting rights or expectations not granted under that license. In particular, the reader is reminded that:

THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (etc.)

Security Goals of Jena GRDDL Reader

Releases of the Jena GRDDL Reader should include documention covering known security issues.

The first release disables certain features of XSLT 2.0 as indicated below. These steps allow the code to pass the tests being used to explore these issues. No defences are in place against a denial of service attack.

Feature	How disabled
`document()`	Use of `javax.xml.transform.Transformer.setURIResolver()` to set a URI resolver that always throws an exception.
`doc()`
`<xsl:result-document>`	Setting value of the Saxon attribute `ALLOW_EXTERNAL_FUNCTIONS` to false, and (the JAXP) feature `http://javax.xml.XMLConstants/feature/secure-processing` to true.
extension functions [1]
`unparsed-text()`	A static initializer in the GRDDL code, modifies the functions tables inside Saxon, to disable these functions.
`unparsed-text-avaliable()`

[1] However, some EXSLT and Saxon extension may still work, as determined by the Saxon implementation.

Potential Weaknesses

No features of the Java security model are used. In particularly, unsafe operations are permitted, if they are invoked in some way not involving the disabled features, or if the disabling of the disabled features fails in some way, or is circumvented by malicious code.

Any defects in the code disabling the above features of XSLT 2.0 will leave security holes.

The disabling of unparsed-text() depends on the internals of the saxon8 implementation of XSLT 2.0. A different version of saxon other than that included in the GRDDL download, may have different internals, and the code disabling unparsed-text() may fail to work with such a version.

Any other insecure features of XSLT 2.0 will probably result in security holes.

In particular, it is believed that xsl:include and xsl:import are adequately secure, and they are not disabled. This belief may be mistaken.