jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexander Klimetschek" <aklim...@day.com>
Subject Re: Are XPath injections possible?
Date Mon, 25 Aug 2008 11:31:59 GMT
The problem is much less critical in Jackrabbit due to the following reasons:

1) JCR SQL and XPath are read-only (not DROP table attacks)
2) XPath syntax is much more specific, so you cannot easily add
another statement in an injection (mostly you will have variable
replacement only inside predicates)
3) Mostly you will use the JCR API to look up things and use queries
more for full-text searches (I know, this one is not a good argument,
but at least this describes the typical JCR usage ;-))

The jackrabbit-jcr-commons jar contains some helper classes for
escaping and converting, eg. org.apache.jackrabbit.util.Text with
escape()/unescape() of JCR names (to get valid node names):

http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java?view=markup

Not sure where to find other kinds of Xpath escaping...

Regards,
Alex

On Mon, Aug 25, 2008 at 9:41 AM, Marc Speck <marcspeck@gmail.com> wrote:
> I'm not an expert for XPath (in Jackrabbit) but taken the nature of SQL
> injections, I suspect that similar attacks in XPath are possible? I've just
> browsed org.apache.jackrabbit.commons.query.GQL and saw in parse() that you
> escape [, !, etc. Is there an escape method for user generated queries in
> Jackrabbit or do you recommend to use GQL once it's out?
>
> Thanks,
> Marc
>



-- 
Alexander Klimetschek
alexander.klimetschek@day.com

Mime
View raw message