Re: [MarkLogic Dev General] Incoming XPath expressions

[andres miranda]

<assembly>
  <id>release</id>
  <formats>
    <format>zip</format>
  </formats>
  <fileSets>
    <fileSet>
      <includes>
        <include>README*</include>
        <include>LICENSE*</include>
      </includes>
    </fileSet>
    <fileSet>
      <directory>target</directory>
      <outputDirectory></outputDirectory>
      <includes>
        <include>gson-*.jar</include>
      </includes>
    </fileSet>
  </fileSets>
</assembly>

Date: Sun, 28 Apr 2013 11:46:27 -0700
From: stu.salsb...@gmail.com
To: general@developer.marklogic.com
Subject: Re: [MarkLogic Dev General] Incoming XPath expressions

Thank you both.  The "user" is my website, so it's not that likely that someone 
will accidentally do anything like delete a document.  DOS-ish stuff, on the 
other hand, would be a risk.  I guess I'll take the safe route and find ways to 
give the values necessary for any out-of-tree comparisons to the site before it 
needs them.

The point here is to enable RESTful addressing of content using xpath, so, for 
example, if a I want all the foods that a particular person likes I wanted the 
xpath to be:
collection("foods")/food[@id=collection("people")/person[1]/likesFood/@ref]


It looks like, due to injection risk, I shouldn't expose that.  I can design 
around it.

On Sun, Apr 28, 2013 at 10:52 AM, David Lee <david....@marklogic.com> wrote:






One example.  If the user has permissions to delete their own document,
But intends to query so you give them a search and allow them to type in xpath 
tha is evald.  they try but screws up the syntax and accidental issues a delete 
command it will delete.  



Sent from my iPad (excuse the terseness) 
David A Lee
d...@marklogic.com
812-630-7622






On Apr 28, 2013, at 9:33 AM, "Stu Salsbury" <stu.salsb...@gmail.com> wrote:






Thank you, Erik.



I do want to take what precautions I must.  If my users have very low 
permissions, do I need to be concerned with injection?  They will only have the 
right to modify documents that are their own.  I'm new to ML security issues 
but if a user starts
 out with nothing and I grant them very specific document permissions and very 
specific main module execute permissions, what else are they likely to 
accomplish?



Also:



I'd rather just use http://docs.marklogic.com/cts:valid-index-path and feel 
safer, but (from the docs):

cts:valid-index-path("/a/b[c=/a/b/d]/p",fn:true())
  => false

Is this failing because ignorens is true?  Does ignorens mean, "disregard the 
namespaces in my documents and find nodes anyway?" or "disregard namespace 
prefixes in the xpath and thus don't find nodes that are not in the default
 ns" or something else?  And if the example fails without regard to namespaces, 
is it because it references /a/b/d in the comparison? I'd like to be able to 
enable such comparisons...



(Hubert, thanks for asking your question, this has been on my mind. I hope you 
don't feel I'm hijacking -- I figure this might have relevance to you, too.)




On Sun, Apr 28, 2013 at 9:10 AM, Erik Hennum 
<erik.hen...@marklogic.com> wrote:



Hi, Hubert and Stu:



It depends what you need to accomplish with the XPath.



If you need to use the XPath to qualify the documents, you can put it in a 
<search:searchable-expression> element in the query options for the search.  
For an XPath to be a searchable expression, one step but preferably the entire 
path must be resolvable via
 indexes.  You can try a few sample XPaths with xdmp:plan() in QueryConsole to 
see whether they are searchable.



If you need to use a static XPath to extract parts of the documents qualified 
by other search criteria, you could provide a custom snippeting function in 
XQuery and use the xdmp:transform-results element in the query options to 
specify the snippeting function.




If you need to use a dynamic XPath to extract parts of the documents, you could 
create a resource service extension for the REST API that calls search:search() 
with query options that return the entire document by setting the apply to 
"raw" on the xdmp:transform-results
 of the query options.  You can pass the XPath to the resource service by HTTP 
query parameter and apply the XPath to the results using the xdmp:value() 
method or the xp:dereference() function.



Because an XPath can call functions, you need to be concerned about injection 
attack.  You can confirm that an XPath contains only paths, literals, and 
booleans using the cts:valid-index-path() function.





Hoping that helps,






Erik Hennum








From: 
general-boun...@developer.marklogic.com 
[general-boun...@developer.marklogic.com] on behalf of Stu Salsbury 
[stu.salsb...@gmail.com]


Sent: Sunday, April 28, 2013 8:03 AM

To: MarkLogic Developer Discussion

Subject: Re: [MarkLogic Dev General] Incoming XPath expressions








I'm no expert, but I'm planning to do this. You can use xpointer to avoid a 
calling eval (though I don't know whether or not it calls eval under the 
covers.  https://docs.marklogic.com/xp .



Be aware that all xpath evaluations give access to any document in your 
database because /doc("anyDocInYourDB.xml") is valid xpath.  So do it only if 
your document permissions are *exactly* as you need them.




There may be other security ramifications that I don't know about.  It would be 
great if someone more knowledgeable chimed in about this.





On Fri, Apr 26, 2013 at 12:10 PM, Hubert A Le Van Gong 
<hubert...@gmail.com> wrote:


Hello MarkLogic experts,



This may be a very stupid question but is there a way for a web service to use 
an XPath expression with the REST API search?



For instance one with an axis like:

//ResourceTypeX[descendant-or-self::node()="urn:anotherelementid:xyz"]



I was hoping to be able to do something like 
localhost:8003://v1/search?q=my_xpath_expression



Also I need to massage the response so it includes the actual resource content 
and aggregate

them in a container (defined as a list of the resource type elements returned). 
I'm wondering

if writing extension(s) to the REST API (my web service also supports regular 
CRUD operations

on XML documents) is the right approach?

If I do so, can I call the MarkLogic REST API from within my extension point 
(to retrieve or search docs etc.)?



Or should I look into mapping pre-defined XPath expressions into structured 
queries?

I was hoping to use the REST API (using search or keyvalue) but I'm not 
convinced this is going to work.



Any hints most appreciated!



Thanks,

Hubert



_______________________________________________

General mailing list

General@developer.marklogic.com

http://developer.marklogic.com/mailman/listinfo/general














_______________________________________________

General mailing list

General@developer.marklogic.com

http://developer.marklogic.com/mailman/listinfo/general












_______________________________________________

General mailing list

General@developer.marklogic.com

http://developer.marklogic.com/mailman/listinfo/general






_______________________________________________

General mailing list

General@developer.marklogic.com

http://developer.marklogic.com/mailman/listinfo/general





_______________________________________________
General mailing list
General@developer.marklogic.com
http://developer.marklogic.com/mailman/listinfo/general                         
                  
_______________________________________________
General mailing list
General@developer.marklogic.com
http://developer.marklogic.com/mailman/listinfo/general