Page MenuHomePhabricator
Create Task
Maniphest T96700

Lock down public Blazegraph instance
Closed, ResolvedPublic
Actions

Description

Blazegraph allows new triples to be added through its :9999 interface, which is sadface for hosting a public instance. This epic is here to capture the various security issues blocking a public-facing release of WDQS.

At a minimum, the public will need:

  • POST access to :9999/bigdata/namespace/<namespace>/sparql to submit SPARQL queries.
    • Can we restrict SPARQL queries that lead to inserts/updates/deletes?

Related Objects
Search...

Event Timeline

Jdouglas created this task.Apr 21 2015, 4:16 PM
Jdouglas raised the priority of this task from to Medium.
Jdouglas updated the task description. (Show Details)
Jdouglas added projects: Discovery-ARCHIVED, Wikidata-Query-Service, Epic.
Jdouglas subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 21 2015, 4:16 PM
Jdouglas updated the task description. (Show Details)Apr 21 2015, 5:01 PM
Jdouglas set Security to None.
Smalyshev subscribed.EditedApr 21 2015, 5:28 PM

Why would they need POST access? POST is used for update queries. I don't think we should allow public to update. The regular queries go through GET interface.

JanZerebecki subscribed.Apr 22 2015, 10:40 AM
Smalyshev added a parent task: T96579: EPIC: Deploy Wikidata Query 0.1 Release in labs as official service.May 5 2015, 12:21 AM
Smalyshev removed a parent task: T96579: EPIC: Deploy Wikidata Query 0.1 Release in labs as official service.May 5 2015, 5:55 PM
Manybubbles moved this task from Needs triage to WDQS on the Discovery-ARCHIVED board.May 7 2015, 7:52 PM
Smalyshev added a parent task: T85159: [EPIC] Deploy a Wikidata Query Service into production.Jun 2 2015, 5:52 PM
Smalyshev added a parent task: T103907: Develop external hardening rules for WDQS.Jun 25 2015, 8:18 PM
Lydia_Pintscher added a project: Wikidata.Jul 10 2015, 1:36 AM
Lydia_Pintscher subscribed.
Lydia_Pintscher moved this task from incoming to monitoring on the Wikidata board.Jul 12 2015, 12:33 AM
Smalyshev closed this task as Resolved.Aug 5 2015, 10:40 PM
Smalyshev claimed this task.

I think this is done, Blazegraph only listens to localhost:9999 now and nginx proxy does not allow POST to pass to it.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL