On 25/04/2023 08:32, Simon Bin wrote:
On Tue, 2023-04-25 at 08:01 +0100, Andy Seaborne wrote:
so the deployment has to explicitly enable scripting access.
is there any way to operate a scripting enabled Jena Fuseki public and
safely ? (Graal sandboxing etc?)
The most important thing is
On Tue, 2023-04-25 at 08:01 +0100, Andy Seaborne wrote:
> so the deployment has to explicitly enable scripting access.
is there any way to operate a scripting enabled Jena Fuseki public and
safely ? (Graal sandboxing etc?)
It is addressed in 4.8.0
Custom Javascript execution checking:
Use of javascript or Python to write custom functions
now requires system property -Djena:scripting=true
so the deployment has to explicitly enable scripting access.
Note that for Java17 and later then there isn't a JS script
Is that already fixed in 4.8.0 or applies to Apache Jena versions 4.7.0+?
Marco
On Mon, Apr 24, 2023 at 8:03 PM Andy Seaborne wrote:
> Severity: important
>
> Description:
>
> There is insufficient checking of user queries in Apache Jena versions
> 4.7.0 and earlier, when invoking custom
Severity: important
Description:
There is insufficient checking of user queries in Apache Jena versions 4.7.0
and earlier, when invoking custom scripts. It allows a remote user to execute
arbitrary javascript via a SPARQL query.
Credit:
L3yx of Syclover Security Team (reporter)
References: