Skip to content

SCDH/hardening-saxon

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits
.github/workflows
.github/workflows
 
 
.mvn/wrapper
.mvn/wrapper
 
 
script
script
 
 
src
src
 
 
test
test
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
mvnw
mvnw
 
 
mvnw.cmd
mvnw.cmd
 
 
pom.xml
pom.xml
 
 
saxon.xml
saxon.xml
 
 

Repository files navigation

Hardening Saxon

Tests Deploy Javadoc

Running XSLT, XQuery and XPath bears some security risks if you do not know exactly what is in a script. For example, an XPath expression may contain code for stealing secrets from your computer, or an XSLT stylesheet may contain code for adding a login key to your ssh configuration. This project aims to make Saxon robust against such attacks by adding control over the access to your local file system. It does so by

  • restricting file system access through doc(...), unparsed-text(...) etc., and <xsl:result-document> to a set of allowed paths only, which is defined by configuration

Getting started

Clone this repo and run ./mvnw package (Linux/Mac) or .\mvnw.cmd package (Windows) in order to build the hardening classes and get wrapper scripts for simple usage. Then, there will be wrapper scripts in target/bin/ for Linux, Mac, and Windows.

You can run the wrapper scripts from anywhere on your computer since they only contain absolute paths.

Note: You need a Java JDK, e.g. OpenJDK, installed on your computer for running the above commands. A Maven installation is not required when building through the maven wrapper scripts mvnw and mvnw.cmd.

Usage

In order to restrict access to files and subfolders of the folders projects and src/xsl in your home folder run

export SAXON_ALLOWED_PATHS=~/projects,~/src/xsl

On a Windows powershell you can set allowed paths like this:

$env:SAXON_ALLOWED_PATHS="~/projects,~/src/xsl"

Then use the wrapper scripts in target/bin/ and the Saxon configuration in saxon.xml. This configuration file tells Saxon to use URI resolvers for the various ways of accessing the file system. These URI resolvers restrict access to the allowed paths.

In order to run XSLT with restriction to these paths, use the configuration file like so:

PATH-TO/target/bin/xslt.sh -config:PATH-TO/saxon.xml -xsl:~/src/xsl/my.xsl -s:doc.xsl

Parameters are exactly the same as for the Saxon command line tool.

Note, that the file system locations given as command line parameters are not affected by the restricted access to the file system, but only imported or included stylesheets, documents read with doc() etc. or with unparsed-text(), and locations written to with <xsl:result-document>.

When trying to access a location outside of the allowed paths, errors like the following are thrown:

Error in xsl:result-document/@href on line 19 column 64 of add-key.xsl:
   path not allowed: /home/clueck/.ssh/authorized_keys

API

See the JavaDocs of this project.

License

MIT

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

2 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases

6 tags

Packages 1

 

Languages