TAP, automated site monitoring, and gzip encoding.
seaman at noao.edu
Thu Jun 30 13:43:44 PDT 2011
You might also investigate:
for this purpose. FPACK already supports this option:
"Paranoia" is a pretty good requirement to fold into data compression options :-)
On Jun 30, 2011, at 1:35 PM, Tom McGlynn wrote:
> NASA sites are a prominent target for hackers and so Goddard uses automated tools that look for a variety of exploits including SQL injection attacks. Currently TAP schema queries can trigger these. While our security folks don't want to be too specific as to what the triggers are I believe that the combination of:
> Support of arbitrary SQL in the query
> Lack of passwords
> Results that look like table schemas (because they are)
> Output in clear text
> play a major role in making things look suspicious. While they can turn off checking altogether that would mean that any real successful SQL injection attack could go undetected and we have lots of attempts every day.
> One solution that I had hoped might work was to use a GZIP transfer encoding (or content encoding) for the query results. Unfortunately it doesn't look like clients currently note the HTTP encoding headers.
> NASA is probably a bit more paranoid about this than some, but I suspect that this will become a more common issue as time goes on.
> Support for content or transfer encoding is an HTTP level issue so I don't think it requires any change to the TAP standard, just clients that look for the appropriate HTTP headers. Would it be reasonable to request that clients support gzip encoding? In addition to address this security issue I suspect this would generally substantially decrease the size of downloaded data and make our queries more responsive.
> Tom McGlynn
More information about the dal