Hi, Stu: I believe the XPath fails the cts:valid-index-path() check because the path within the predicate is absolute rather than descending from the context.
Many functions (such as the string manipulation functions) require no permissions, and XPath does support for expressions. For someone sufficiently malicious, it might be possible to create a time-consuming XPath expression as part of a denial-of-service attack even if the request has no permissions other than the ability to execute an XPath. So, it would be best to take a cautious approach when accepting XPaths from clients. Hoping that's useful, Erik Hennum ________________________________ From: [email protected] [[email protected]] on behalf of Stu Salsbury [[email protected]] Sent: Sunday, April 28, 2013 9:33 AM To: MarkLogic Developer Discussion Subject: Re: [MarkLogic Dev General] Incoming XPath expressions Thank you, Erik. I do want to take what precautions I must. If my users have very low permissions, do I need to be concerned with injection? They will only have the right to modify documents that are their own. I'm new to ML security issues but if a user starts out with nothing and I grant them very specific document permissions and very specific main module execute permissions, what else are they likely to accomplish? Also: I'd rather just use http://docs.marklogic.com/cts:valid-index-path and feel safer, but (from the docs): cts:valid-index-path("/a/b[c=/a/b/d]/p",fn:true()) => false Is this failing because ignorens is true? Does ignorens mean, "disregard the namespaces in my documents and find nodes anyway?" or "disregard namespace prefixes in the xpath and thus don't find nodes that are not in the default ns" or something else? And if the example fails without regard to namespaces, is it because it references /a/b/d in the comparison? I'd like to be able to enable such comparisons... (Hubert, thanks for asking your question, this has been on my mind. I hope you don't feel I'm hijacking -- I figure this might have relevance to you, too.) On Sun, Apr 28, 2013 at 9:10 AM, Erik Hennum <[email protected]<mailto:[email protected]>> wrote: Hi, Hubert and Stu: It depends what you need to accomplish with the XPath. If you need to use the XPath to qualify the documents, you can put it in a <search:searchable-expression> element in the query options for the search. For an XPath to be a searchable expression, one step but preferably the entire path must be resolvable via indexes. You can try a few sample XPaths with xdmp:plan() in QueryConsole to see whether they are searchable. If you need to use a static XPath to extract parts of the documents qualified by other search criteria, you could provide a custom snippeting function in XQuery and use the xdmp:transform-results element in the query options to specify the snippeting function. If you need to use a dynamic XPath to extract parts of the documents, you could create a resource service extension for the REST API that calls search:search() with query options that return the entire document by setting the apply to "raw" on the xdmp:transform-results of the query options. You can pass the XPath to the resource service by HTTP query parameter and apply the XPath to the results using the xdmp:value() method or the xp:dereference() function. Because an XPath can call functions, you need to be concerned about injection attack. You can confirm that an XPath contains only paths, literals, and booleans using the cts:valid-index-path() function. Hoping that helps, Erik Hennum ________________________________ From: [email protected]<mailto:[email protected]> [[email protected]<mailto:[email protected]>] on behalf of Stu Salsbury [[email protected]<mailto:[email protected]>] Sent: Sunday, April 28, 2013 8:03 AM To: MarkLogic Developer Discussion Subject: Re: [MarkLogic Dev General] Incoming XPath expressions I'm no expert, but I'm planning to do this. You can use xpointer to avoid a calling eval (though I don't know whether or not it calls eval under the covers. https://docs.marklogic.com/xp . Be aware that all xpath evaluations give access to any document in your database because /doc("anyDocInYourDB.xml") is valid xpath. So do it only if your document permissions are *exactly* as you need them. There may be other security ramifications that I don't know about. It would be great if someone more knowledgeable chimed in about this. On Fri, Apr 26, 2013 at 12:10 PM, Hubert A Le Van Gong <[email protected]<mailto:[email protected]>> wrote: Hello MarkLogic experts, This may be a very stupid question but is there a way for a web service to use an XPath expression with the REST API search? For instance one with an axis like: //ResourceTypeX[descendant-or-self::node()="urn:anotherelementid:xyz"] I was hoping to be able to do something like localhost:8003://v1/search?q=my_xpath_expression Also I need to massage the response so it includes the actual resource content and aggregate them in a container (defined as a list of the resource type elements returned). I'm wondering if writing extension(s) to the REST API (my web service also supports regular CRUD operations on XML documents) is the right approach? If I do so, can I call the MarkLogic REST API from within my extension point (to retrieve or search docs etc.)? Or should I look into mapping pre-defined XPath expressions into structured queries? I was hoping to use the REST API (using search or keyvalue) but I'm not convinced this is going to work. Any hints most appreciated! Thanks, Hubert _______________________________________________ General mailing list [email protected]<mailto:[email protected]> http://developer.marklogic.com/mailman/listinfo/general _______________________________________________ General mailing list [email protected]<mailto:[email protected]> http://developer.marklogic.com/mailman/listinfo/general
_______________________________________________ General mailing list [email protected] http://developer.marklogic.com/mailman/listinfo/general
