Ben Zahler created SLING-3040:
---------------------------------
Summary: Selector Restriction
Key: SLING-3040
URL: https://issues.apache.org/jira/browse/SLING-3040
Project: Sling
Issue Type: Wish
Components: Extensions
Reporter: Ben Zahler
Priority: Minor
Sling selectors have been identified as a possible means of DoS attacks in CQ5.
Therefore, this ticket contains proposals on how selector restrictions can be
implemented in Sling.
I propose two mechanisms that can/should be used together:
- define selectors frequently used in the Sling instance and allow them
on any request
- define selectors per resource/resource type that are only allowed for
that resource/resource type (already proposed in [1])
The original requestor is not necessarily aware of the resources that are
included internally. Therefore, all checks are performed in request scope
filters. Also, this implies that selectors added internally (e.g. through
sling:include) are not affected.
The two mechanisms in more detail:
1. The generally allowed selectors can be configured as a list of entries
a. A configuration entry can contain multiple selectors, * allows
all selectors
b. selectors can be configured only for specific repository trees
as follows:
repositorypath:selectors
i. the repository path is evaluated as a regular expression
ii. example: /content/.*:myselector,anotherselector
c. If a configuration entry contains multiple selectors, a request
containing these selectors must contain them in the same order as in the
configuration.
2. On a resource or on its resource type, the property
sling:resourceSelectors can be implemented. On that resource, the specified
selectors are allowed in addition to the ones specified in mechanism 1.
a. A resource/resource type without the property
sling:resourceSelectors does not allow any selectors except the ones defined in
mechanism 1.
b. Inheritance must be considered: if a resource has a
sling:resourceSuperType set, the inherited selectors must be applied and the
selectors added to the ones of the current resource. (see examples below)
i. If both the current resource and its resource type and
or its resource supertype have the property set, all selectors specified in
either node are allowed.
c. If multiple selectors are defined on a resource, a request that
has multiple selectors must contain them in the same order as defined on the
resource.
i. Fixed ordering can be switched off configuratively
d. Checks are performed only on request scope, therefore the check
is only performed on the resource actually requested.
3. Selectors defined by a Servlet in property sling.servlet.selectors are
treated as any other selector: either these selectors must be configured in the
generally allowed selectors or the resource requested must specifically allow
for them.
Attached is a sample implementation (definitely not production ready!).
[1]
http://svn.apache.org/repos/asf/sling/trunk/samples/urlfilter/src/main/java/org/apache/sling/samples/urlfilter/impl/UrlFilter.java
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
