Thank you both. The "user" is my website, so it's not that likely that
someone will accidentally do anything like delete a document. DOS-ish
stuff, on the other hand, would be a risk. I guess I'll take the safe
route and find ways to give the values necessary for any out-of-tree
comparisons to the site before it needs them.
The point here is to enable RESTful addressing of content using xpath, so,
for example, if a I want all the foods that a particular person likes I
wanted the xpath to be:
collection("foods")/food[@id=collection("people")/person[1]/likesFood/@ref]
It looks like, due to injection risk, I shouldn't expose that. I can
design around it.
On Sun, Apr 28, 2013 at 10:52 AM, David Lee <[email protected]> wrote:
> One example. If the user has permissions to delete their own document,
> But intends to query so you give them a search and allow them to type in
> xpath tha is evald. they try but screws up the syntax and accidental
> issues a delete command it will delete.
>
> Sent from my iPad (excuse the terseness)
> David A Lee
> [email protected]
> 812-630-7622
>
>
> On Apr 28, 2013, at 9:33 AM, "Stu Salsbury" <[email protected]>
> wrote:
>
> Thank you, Erik.
>
> I do want to take what precautions I must. If my users have very low
> permissions, do I need to be concerned with injection? They will only have
> the right to modify documents that are their own. I'm new to ML security
> issues but if a user starts out with nothing and I grant them very specific
> document permissions and very specific main module execute permissions,
> what else are they likely to accomplish?
>
> Also:
>
> I'd rather just use http://docs.marklogic.com/cts:valid-index-path and
> feel safer, but (from the docs):
>
> cts:valid-index-path("/a/b[c=/a/b/d]/p",fn:true())
> => false
>
> Is this failing because ignorens is true? Does ignorens mean,
> "disregard the namespaces in my documents and find nodes anyway?" or
> "disregard namespace prefixes in the xpath and thus don't find nodes that
> are not in the default ns" or something else? And if the example fails
> without regard to namespaces, is it because it references /a/b/d in the
> comparison? I'd like to be able to enable such comparisons...
>
> (Hubert, thanks for asking your question, this has been on my mind. I
> hope you don't feel I'm hijacking -- I figure this might have relevance to
> you, too.)
>
>
> On Sun, Apr 28, 2013 at 9:10 AM, Erik Hennum <[email protected]>wrote:
>
>> Hi, Hubert and Stu:
>>
>> It depends what you need to accomplish with the XPath.
>>
>> If you need to use the XPath to qualify the documents, you can put it in
>> a <search:searchable-expression> element in the query options for the
>> search. For an XPath to be a searchable expression, one step but
>> preferably the entire path must be resolvable via indexes. You can try a
>> few sample XPaths with xdmp:plan() in QueryConsole to see whether they are
>> searchable.
>>
>> If you need to use a static XPath to extract parts of the documents
>> qualified by other search criteria, you could provide a custom snippeting
>> function in XQuery and use the xdmp:transform-results element in the query
>> options to specify the snippeting function.
>>
>> If you need to use a dynamic XPath to extract parts of the documents, you
>> could create a resource service extension for the REST API that calls
>> search:search() with query options that return the entire document by
>> setting the apply to "raw" on the xdmp:transform-results of the query
>> options. You can pass the XPath to the resource service by HTTP query
>> parameter and apply the XPath to the results using the xdmp:value() method
>> or the xp:dereference() function.
>>
>> Because an XPath can call functions, you need to be concerned about
>> injection attack. You can confirm that an XPath contains only paths,
>> literals, and booleans using the cts:valid-index-path() function.
>>
>>
>> Hoping that helps,
>>
>>
>> Erik Hennum
>>
>> ------------------------------
>> *From:* [email protected] [
>> [email protected]] on behalf of Stu Salsbury [
>> [email protected]]
>> *Sent:* Sunday, April 28, 2013 8:03 AM
>> *To:* MarkLogic Developer Discussion
>> *Subject:* Re: [MarkLogic Dev General] Incoming XPath expressions
>>
>> I'm no expert, but I'm planning to do this. You can use xpointer to
>> avoid a calling eval (though I don't know whether or not it calls eval
>> under the covers. https://docs.marklogic.com/xp .
>>
>> Be aware that all xpath evaluations give access to any document in your
>> database because /doc("anyDocInYourDB.xml") is valid xpath. So do it only
>> if your document permissions are *exactly* as you need them.
>>
>> There may be other security ramifications that I don't know about. It
>> would be great if someone more knowledgeable chimed in about this.
>>
>>
>> On Fri, Apr 26, 2013 at 12:10 PM, Hubert A Le Van Gong <
>> [email protected]> wrote:
>>
>>> Hello MarkLogic experts,
>>>
>>> This may be a very stupid question but is there a way for a web service
>>> to use an XPath expression with the REST API search?
>>>
>>> For instance one with an axis like:
>>> //ResourceTypeX[descendant-or-self::node()="urn:anotherelementid:xyz"]
>>>
>>> I was hoping to be able to do something like
>>> localhost:8003://v1/search?q=my_xpath_expression
>>>
>>> Also I need to massage the response so it includes the actual resource
>>> content and aggregate
>>> them in a container (defined as a list of the resource type elements
>>> returned). I'm wondering
>>> if writing extension(s) to the REST API (my web service also supports
>>> regular CRUD operations
>>> on XML documents) is the right approach?
>>> If I do so, can I call the MarkLogic REST API from within my extension
>>> point (to retrieve or search docs etc.)?
>>>
>>> Or should I look into mapping pre-defined XPath expressions into
>>> structured queries?
>>> I was hoping to use the REST API (using search or keyvalue) but I'm not
>>> convinced this is going to work.
>>>
>>> Any hints most appreciated!
>>>
>>> Thanks,
>>> Hubert
>>>
>>> _______________________________________________
>>> General mailing list
>>> [email protected]
>>> http://developer.marklogic.com/mailman/listinfo/general
>>>
>>
>>
>> _______________________________________________
>> General mailing list
>> [email protected]
>> http://developer.marklogic.com/mailman/listinfo/general
>>
>>
> _______________________________________________
> General mailing list
> [email protected]
> http://developer.marklogic.com/mailman/listinfo/general
>
>
> _______________________________________________
> General mailing list
> [email protected]
> http://developer.marklogic.com/mailman/listinfo/general
>
>
_______________________________________________
General mailing list
[email protected]
http://developer.marklogic.com/mailman/listinfo/general
