[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

RE: Bulk XSD validation in Java

  • To: "Stan Kitsis" <skits@m...>,"xml dev" <xml-dev@l...>
  • Subject: RE: Bulk XSD validation in Java
  • From: "Chris Wilper" <cwilper@c...>
  • Date: Tue, 28 Feb 2006 17:26:43 -0500
  • Thread-index: AcY78QweOdUWX9CsQUCGeUwezvtcjAAFLOPVACSkVuAABWIdcA==
  • Thread-topic: Bulk XSD validation in Java

time validation in java
Title: Bulk XSD validation in Java
Hi Stan,
 
The sources are trusted in this case, but the software may be re-used in less secure environments later... so I'd rather deal with the potential vulnerabilities up-front.
 
I'm aware of the old DTD attack, and a few obvious DoS-type attacks I can envision.  Do you have any idea what types of risks might remain if the application employed the following rules?
 
All documents would fail to be parsed if:
  - they contain DTD declarations
  - their size exceeds some acceptable threshold
  - connection and/or retrieval time exceeds some acceptable threshold
 
Schemas would fail to be loaded (and thus parsed or used) if:
  - the # of loaded schemas since the last completed validation
    exceeds some acceptable threshold (a crude guard against
    excessive schema includes within schemas, etc..)
 
Thanks,
Chris


From: Stan Kitsis [mailto:skits@m...]
Sent: Tuesday, February 28, 2006 1:59 PM
To: Chris Wilper; xml dev
Subject: RE: Bulk XSD validation in Java

Chris,

 

Your scenario involves unknown data and unknown schemas.  If the sources of your inputs are not trusted, you are opening yourself to a wide range of potential problems (such as DoS attacks). 

 

Stan

 

--------------------------------------

Stan Kitsis,

Webdata - XML

Microsoft Corporation

--------------------------------------

 


From: Chris Wilper [mailto:cwilper@c...]
Sent: Monday, February 27, 2006 5:54 PM
To: xml dev
Subject: Bulk XSD validation in Java

 

Hi all,

I've got a java process that needs to continously validate xml documents according to the w3c schemas they indicate in their xsd:schemaLocations.  The documents arrive at a high rate and must be processed as quickly as possible.  The exact schemas they employ are not known ahead of time and there may be several of them required to validate each document.

My question is, what library/libraries are appropriate in this situation and how do I tell them to only load the required schema(s) only once?  Any advice?

Thanks,
Chris


PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
 

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.


Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.