xml-dev - RE: [xml-dev] Bulk XSD validation in Java

RE: [xml-dev] Bulk XSD validation in Java

[ Lists Home | Date Index | Thread Index ]

To: xml-dev@lists.xml.org
Subject: RE: [xml-dev] Bulk XSD validation in Java
From: "Fraser Goffin" <goffinf@hotmail.com>
Date: Mon, 01 May 2006 13:43:38 +0100
Bcc:
Cc: cwilper@cs.cornell.edu
In-reply-to: <2EE48095D8C21643B0B70EC95F9BFBAFD1A39A@EXCHVS1.cs.cornell.edu>

Chris,

personally I don't like the idea of trusting the processing hint 
xsi:schemaLocation and usually prefer to decide what set of schemata (and/or 
other methods - e.g. rules) I want to use to validate inbound messages. Of 
course this does somewhat depend on the trust relationship you have with 
your service consumers and the level of authentication/authorisation that is 
implemented prior to message processing. Is there no way that your 
validation process can 'discover' the specific message type at run-time and 
validate against the appropriate set of [cached] schemata ?

Fraser.

>From: "Chris Wilper" <cwilper@cs.cornell.edu>
>To: "Stan Kitsis" <skits@microsoft.com>,"xml dev" <xml-dev@lists.xml.org>
>Subject: RE: [xml-dev] Bulk XSD validation in Java
>Date: Tue, 28 Feb 2006 17:26:43 -0500
>
>Hi Stan,
>
>The sources are trusted in this case, but the software may be re-used in 
>less
>secure environments later... so I'd rather deal with the potential
>vulnerabilities up-front.
>
>I'm aware of the old DTD attack, and a few obvious DoS-type attacks I can
>envision.  Do you have any idea what types of risks might remain if the
>application employed the following rules?
>
>All documents would fail to be parsed if:
>   - they contain DTD declarations
>   - their size exceeds some acceptable threshold
>   - connection and/or retrieval time exceeds some acceptable threshold
>
>Schemas would fail to be loaded (and thus parsed or used) if:
>   - the # of loaded schemas since the last completed validation
>     exceeds some acceptable threshold (a crude guard against
>     excessive schema includes within schemas, etc..)
>
>Thanks,
>Chris
>
>
>________________________________
>
>From: Stan Kitsis [mailto:skits@microsoft.com]
>Sent: Tuesday, February 28, 2006 1:59 PM
>To: Chris Wilper; xml dev
>Subject: RE: [xml-dev] Bulk XSD validation in Java
>
>
>
>Chris,
>
>
>
>Your scenario involves unknown data and unknown schemas.  If the sources of
>your inputs are not trusted, you are opening yourself to a wide range of
>potential problems (such as DoS attacks).
>
>
>
>Stan
>
>
>
>--------------------------------------
>
>Stan Kitsis,
>
>Webdata - XML
>
>Microsoft Corporation
>
>--------------------------------------
>
>
>
>________________________________
>
>From: Chris Wilper [mailto:cwilper@cs.cornell.edu]
>Sent: Monday, February 27, 2006 5:54 PM
>To: xml dev
>Subject: [xml-dev] Bulk XSD validation in Java
>
>
>
>Hi all,
>
>I've got a java process that needs to continously validate xml documents
>according to the w3c schemas they indicate in their xsd:schemaLocations.  
>The
>documents arrive at a high rate and must be processed as quickly as 
>possible.
>The exact schemas they employ are not known ahead of time and there may be
>several of them required to validate each document.
>
>My question is, what library/libraries are appropriate in this situation 
>and
>how do I tell them to only load the required schema(s) only once?  Any
>advice?
>
>Thanks,
>Chris
>

Prev by Date: Re: [xml-dev] electronic newspaper
Next by Date: RE: [xml-dev] Choosing a target name for a processing instruction
Previous by thread: Re: [xml-dev] electronic newspaper
Next by thread: RE: [xml-dev] Choosing a target name for a processing instruction
Index(es):
- Date
- Thread