<-prev [Thread] next-> <-prev [Date] next->
Month Index | List Home

Re: [xsl] How to circumvent read-only permission

Subject: Re: [xsl] How to circumvent read-only permission
From: "Dimitre Novatchev dnovatchev@xxxxxxxxx" <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx>
Date: Sun, 10 Apr 2022 18:14:39 -0000
> However, if the XML document contains XPath expressions, then the XSLT
program that is reading the XML document
> can read the XPath expressions and execute them using xsl:evaluate. So,
in a sense, the XML document is being executed.
> And, the operating system has no idea that the XML document is being
executed and no way to prevent it.

Actually, the XPath expression(s) don't need to be within an XML document.
They can reside in any (text) file and be read by the standard XPath
function fn:unparsed-text().

For many years I have been using libraries of pure XPath functions, that
reside in what in fact are text files, with extension .xpath. Each such
.xpath file is referred to as a separate "function library".

These comprise the foundation of a pure XPath-programming system, and are
loaded by an "extension function", written in XSLT ...

If a specific XPath function library needs the functions of other XPath
function libraries, it just loads these function libraries by calling the
loader extension.

Thus when such a system is executed, there are numerous load operations,
some of these might be nested recursively. The recursion happens within the
<xsl:evaluate> in the loadFunctionLibraries() function (part of the loader
extension) below.

Here is the loader:

<xsl:stylesheet version="3.0" xmlns:xsl="
http://www.w3.org/1999/XSL/Transform";
  xmlns:xs="http://www.w3.org/2001/XMLSchema";
  xmlns:map="http://www.w3.org/2005/xpath-functions/map";
  xmlns:f="http://www.fxpath.org";>

  <xsl:variable name="vBaseFXpathUri"
    select="(environment-variable('FXpathDir')[normalize-space()],
'..')[1]"/>

  <xsl:template name="loadFunctionLibraries" as="map(*)">
    <xsl:param name="pFilePaths" as="xs:string+"/>
      <xsl:sequence select="f:loadFunctionLibraries($pFilePaths)"/>
  </xsl:template>


  <xsl:function name="f:loadFunctionLibraries" as="map(*)"
visibility="public">
    <xsl:param name="pLibrariesUris" as="xs:string+"/>

    <xsl:variable name="vAllText" as="xs:string+" select=
      "string-join(
                  (for $p in $pLibrariesUris
                    return unparsed-text($p)
                  ),
                  ',&#xA;'
                 )"/>

    <xsl:evaluate xpath="'map:merge((' || $vAllText || '))'">
      <xsl:with-param name="pBaseFXpathUri" select="$vBaseFXpathUri"/>
    </xsl:evaluate>
  </xsl:function>
</xsl:stylesheet>

As an example, here is a test of the functions in the special-folds.xpath
library. This test (written in XSLT) loads the function library and tests
each of the functions in it. The  special-folds.xpath itself loads 2 other
function libraries: folds.xpath and operators.xpath :

<xsl:stylesheet version="3.0" xmlns:xsl="
http://www.w3.org/1999/XSL/Transform";
  xmlns:xs="http://www.w3.org/2001/XMLSchema";
  xmlns:f="http://www.fxpath.org";>
  <xsl:import href="../initialization/Loader.xsl"/>

  <xsl:output method="text" omit-xml-declaration="yes" indent="yes"/>

 <!-- ======= Load the file with the XPath functions to be tested
================== -->
  <xsl:variable name="vBaseFXpathUri"
    select="(environment-variable('FXpathDir')[normalize-space()],
'..')[1]"/>

  <xsl:variable name="vFuns" as="map(*)"
    select="f:loadFunctionLibraries($vBaseFXpathUri ||
'/f/special-folds.xpath')"/>
  <!--
==============================================================================
-->

  <xsl:template name="xsl:initial-template">
    <xsl:sequence select="$vFuns?and((true(), true(), true()))"/>
    <xsl:sequence select="$vFuns?and((true(), true(), false()))"/>

    <xsl:sequence select="$vFuns?or((false(), false(), false()))"/>
    <xsl:sequence select="$vFuns?or((true(), false(), false()))"/>

    <xsl:sequence select="$vFuns?any(function($n) {$n idiv 2 * 2 eq $n},
(1,3,5))"/>
    <xsl:sequence select="$vFuns?any(function($n) {$n idiv 2 * 2 eq $n},
(1,3,6))"/>

    <xsl:sequence select="$vFuns?all(function($n) {$n idiv 2 * 2 eq $n},
(1,2,6))"/>
    <xsl:sequence select="$vFuns?all(function($n) {$n idiv 2 * 2 eq $n},
(0,2,6))"/>

    <xsl:sequence select="$vFuns?sum(1 to 10)"/>
    <xsl:sequence select="$vFuns?product(1 to 6)"/>

    <xsl:sequence select="$vFuns?minimum((6,8,3, -2))"/>
    <xsl:sequence select="$vFuns?minimum(('Alas', 'Baba', 'A2', 'Zebra'))"/>
    <xsl:sequence select="$vFuns?minimum((xs:date('2001-07-14'),
current-date()))"/>

    <xsl:sequence select="$vFuns?maximum((6,8,3, -2))"/>
    <xsl:sequence select="$vFuns?maximum(('Alas', 'Baba', 'A2', 'Zebra'))"/>
    <xsl:sequence select="$vFuns?maximum((xs:date('2001-07-14'),
current-date()))"/>

    <xsl:sequence select="$vFuns?concat(('a1', 'b2', 'c3'))"/>
  </xsl:template>
</xsl:stylesheet>

And here is (just the start) of special-folds.xpath:

(: =============== Include operators.xpath ============================:)
let $ops := Q{http://www.fxpath.org}loadFunctionLibraries#1(
concat($pBaseFXpathUri, '/f/operators.xpath')),

(: ================ Include folds.xpath ===============================:)
  $folds := Q{http://www.fxpath.org}loadFunctionLibraries#1(
concat($pBaseFXpathUri, '/f/folds.xpath')
                                                            ),

 (:    Special Folds
   ====================================================================:)
   $and := function ($booleans as xs:boolean*) as xs:boolean
{
  $folds?foldl_($ops?conjunction, true(), $booleans)
},

   $or := function ($booleans as xs:boolean*) as xs:boolean
{
  $folds?foldl_($ops?disjunction, false(), $booleans)
},

   $any := function($f as function(item()) as xs:boolean, $list as item()*
) as xs:boolean
{
  $or($list!$f(.))
},

.  .  .  .  .  .  .  .   .    .

Thanks,
Dimitre



On Sun, Apr 10, 2022 at 5:45 AM Roger L Costello costello@xxxxxxxxx <
xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> wrote:

> Michael Kay wrote:
>
> > I've certainly seen (and written) real applications in which
> > xsl:evaluate (or equivalent) was used to evaluate XPath
> > expressions read from cells in Excel spreadsheets. The
> > operating system has no idea this is going on, so the
> > distinction between read permission and execute
> > permission is meaningless.
>
> Wow!
>
> Let me be sure that I understand the full implications of this.
>
> Consider this scenario: We have an XML document that, for whatever reason,
> must be read-only. It must not be written to (no write permission) and it
> must not be executed (no execute permission). The operating system
> understands this and will enforce this.
>
> However, if the XML document contains XPath expressions, then the XSLT
> program that is reading the XML document can read the XPath expressions and
> execute them using xsl:evaluate. So, in a sense, the XML document is being
> executed. And, the operating system has no idea that the XML document is
> being executed and no way to prevent it.
>
> This is a way to circumvent the operating system's enforcement of
> read-only permission.
>
> Do I understand correctly? Have I described the full implications of this
> scenario or is there more to be learned from the scenario? Or is Michael
> alluding to some other scenario?
>
> /Roger
> 
>
>

-- 
Cheers,
Dimitre Novatchev
---------------------------------------
Truly great madness cannot be achieved without significant intelligence.
---------------------------------------
To invent, you need a good imagination and a pile of junk
-------------------------------------
Never fight an inanimate object
-------------------------------------
To avoid situations in which you might make mistakes may be the
biggest mistake of all
------------------------------------
Quality means doing it right when no one is looking.
-------------------------------------
You've achieved success in your field when you don't know whether what
you're doing is work or play
-------------------------------------
To achieve the impossible dream, try going to sleep.
-------------------------------------
Facts do not cease to exist because they are ignored.
-------------------------------------
Typing monkeys will write all Shakespeare's works in 200yrs.Will they write
all patents, too? :)
-------------------------------------
Sanity is madness put to good use.
-------------------------------------
I finally figured out the only reason to be alive is to enjoy it.
Current Thread
<- PreviousIndexNext ->
Re: [xsl] How to circumvent read-on, Norm Tovey-Walsh ndw Thread [xsl] How do you prove that your XS, Roger L Costello cos
Re: [xsl] How to circumvent read-on, Norm Tovey-Walsh ndw Date Re: [xsl] XSLT programs that blur t, Piez, Wendell A. (Fe
Month