solid-spec icon indicating copy to clipboard operation
solid-spec copied to clipboard

Published 20 hours ago verified publisher icon solid

Mark SPARQL GET at risk

Open RubenVerborgh opened this issue 5 years ago • 2 comments

Not well specified; not used; dangerous DOS point.

Even better would be to just remove (#206)

RubenVerborgh avatar Jul 24 '19 17:07 RubenVerborgh

Related: seems that NSS never implemented it, so if that's true then there should be zero apps using it: https://github.com/solid/node-solid-server/issues/962

Our wac-ldp module currently implements is using comunica.

michielbdejong avatar Jul 24 '19 17:07 michielbdejong

@michielbdejong Careful; v0.8 mentions “subset” of SPARQL. If you’re using all of Comunica, your subset if very large (if not complete), so a serious stability (DOS) risk exists (especially if single worker, which I believe it is) and even security (through the SERVICE keyword, but also JSON-LD context lookups). I would strongly advice to at least reduce the feature set if it is not removed altogether.

RubenVerborgh avatar Jul 24 '19 18:07 RubenVerborgh