[jira] [Commented] (SLING-9556) add pipes execution through a simple text POST

Thu, 06 Aug 2020 10:15:11 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-9556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17172555#comment-17172555
 ] 

Eric Norman commented on SLING-9556:
------------------------------------

Hi Nicolas,

First I must admit that I don't know much about the pipes solution, so I could 
be way off on what is possible.

For completeness, let me express a couple of potential "bad guy" scenarios that 
had me initially concerned:
 # The "information disclosure" family of security attacks.  In other words, 
streamlining a look around what is in the repository in general purpose command 
executor POST request can make it easier to refine an attack into the system.  
Some information that is not normally http accessible could be exposed and 
reveal details about how the server is configured.  An administrator may want 
more control over what is accessible over http or at least make it more 
difficult to dig that information out.
 # The "denial of service" family of security attacks.  In other words, imagine 
that the end user can construct a query/traversal/other scenario that is 
expensive to execute.  Flooding the server with a few hundred concurrent 
requests that are invoking that expensive operation may exhaust all the http 
threads and prevent any other requests from getting a slice of time to do 
legitimate work.  Is it possible to construct a chain of actions together in a 
pipe that loops forever and never completes?

Regards,

-Eric

> add pipes execution through a simple text POST
> ----------------------------------------------
>
>                 Key: SLING-9556
>                 URL: https://issues.apache.org/jira/browse/SLING-9556
>             Project: Sling
>          Issue Type: Improvement
>          Components: Extensions
>    Affects Versions: Pipes 4.0.0
>            Reporter: Nicolas Peltier
>            Assignee: Nicolas Peltier
>            Priority: Major
>             Fix For: Pipes 4.0.0
>
>
> problem with configuration of most pipes is JCR serialization is difficult to 
> read/maintain (basic XML maintenance issue).
> Since it can be executed through gogo commands, the pipe could also simply be 
> some piped command in a text file that would be posted to the plumber, using 
> same pipebuilder functionality (see 
> https://github.com/apache/sling-org-apache-sling-pipes/blob/master/src/main/java/org/apache/sling/pipes/internal/GogoCommands.java#L81)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to