rdf

2023-05-04T13:37:30.307289Z

Yeah looks like you can do stuff like this: https://github.com/apache/jena/blob/ba2cdb6211f60d7725d779a8556266a8c0b2d0c5/jena-arq/testing/ARQ/Scripting/js-query-4.rq#L4 The description implies remote code execution, but it looks like it’s local code execution… unless you were to configure eval as one of the custom functions… In which case yes it’s opening up a potential DOS, but this is SPARQL, so there are lots of queries you could run to eat CPU/memory etc

quoll 2023-05-04T18:07:59.656299Z

It’s so easy to shoot yourself in the foot add a feature like this

😂 1
quoll 2023-05-04T18:29:00.074079Z

I’ve implemented exactly this feature in both Mulgara and Asami. In the first instance, I backed it out. In the second, I had to manually curate what could and could not be done, and list the clojure.core and clojure.string functions explicitly, so that anything that could interact with the system would be excluded. (It also helped, because it allowed this functionality in the native build of Asami). But if I just wanted to use eval then it’s a 1-line implementation, it’s that easy

👍 1