[MOBY-dev] data by reference - a request for comments

José María Fernández González jmfernandez at cnio.es
Thu Jul 24 13:34:05 UTC 2008 

Hi Pieter,
	I agree with you about the references to primary Simple and Collection 
articles: they are absolutely needed. References to Secondary parameters can 
be needed to copy/use the same values in other calls. I am not strongly 
against references to full mobyData elements, but they should be considered 
and used very carefully, because they can add more mobyData elements than you 
wanted, and you cannot check duplicity of queryIds until all the referenced 
mobyData elements are fetched.

	With an ill-designed service (or libraries) and a carefully built XInclude 
reference, with no checks local contents (from the computer or the intranet) 
could be referenced and perhaps obtained. With an even more ill-designed 
service (or libraries) and a carefully built XInclude reference, an external 
hacker could fire OOM (Out Of Memory) or buffer overflow conditions.

	Best Regards,
		José María

Pieter Neerincx wrote:
> Hi José,
> 
> I don't understand how references could be security risk. And if they do 
> why the level at which you could use them would impact security. Could 
> you please explain?
> 
> If references to mobyData blocks are not an option having at least 
> references to BioMoby articles would already be a big help. Secondaries 
> are usually very small so I wouldn't need / use references there, but 
> for primary Simple and especially for primary Collection articles it 
> would be a big plus!
> 
> Cheers,
> 
> Pi
> 
> On 23 Jul 2008, at 19:47, José María Fernández González wrote:
> 
>> IMHO it can be dangerous for the MOBY payload integrity using XInclude 
>> at mobyContent childs (mobyData) level, but it can be needed in 
>> scenarios like the one described by Pieter. For security reasons, 
>> XInclude / XLink / XPointer should be restricted to the contents of 
>> mobyData, not to MOBY Data itself. For instance, references to Simples 
>> or Collections, Collections composed by a mixure of Simples and 
>> references to Simples, or Secondary parameters copied from run to run.
>>
>>     Best Regards,
>>         José María
>>
>> Mark Wilkinson wrote:
>>> On Wed, 23 Jul 2008 08:06:38 -0700, Pieter Neerincx 
>>> <pieter.neerincx at gmail.com> wrote:
>>>> That doesn't sound very appealing to me. I use quite large data 
>>>> structures and can have tens of thousands of them in a collection 
>>>> (think of oligos for micro arrays.) If I can only replace the 
>>>> primitives with references, I would still have to send a BioMoby XML 
>>>> structure with hundreds of thousands of references replacing the 
>>>> primitives.
>>> Hmmm... that's a situation that we had NEVER considered!  Putting 
>>> xlinks into a component of the Moby message higher than the mobyData 
>>> block was not a scenario that came up during our discussions in 
>>> Tokyo.  the xlink was really only intended to carry data, not data + 
>>> moby message structure...  but I suppose it COULD!
>>> How do others feel about this?
>>> M
>>
>> -- 
>> "There is no reason why anybody would want a computer in their home" -
>>     Ken Olson, founder of DEC 1977
>> "640K ought to be enough for anybody" - Bill Gates, 1981
>> "Nobody will ever outgrow a 20Mb hard drive." - ???
>>
>> "Premature optimization is the root of all evil." - Donald Knuth
>>
>> José María Fernández González
>> Tlfn: (+34) 91 732 80 00 / 91 224 69 00 (ext 3061)
>> e-mail: jmfernandez at cnio.es        Fax: (+34) 91 224 69 76
>> Unidad del Instituto Nacional de Bioinformática
>> Biología Estructural y Biocomputación    Structural Biology and 
>> Biocomputing
>> Centro Nacional de Investigaciones Oncológicas
>> C.P.: 28029                Zip Code: 28029
>> C/. Melchor Fernández Almagro, 3    Madrid (Spain)
>>
>> **NOTA DE CONFIDENCIALIDAD** Este correo electrónico, y en su caso los 
>> ficheros adjuntos, pueden contener información protegida para el uso 
>> exclusivo de su destinatario. Se prohíbe la distribución, reproducción 
>> o cualquier otro tipo de transmisión por parte de otra persona que no 
>> sea el destinatario. Si usted recibe por error este correo, se ruega 
>> comunicarlo al remitente y borrar el mensaje recibido.
>> **CONFIDENTIALITY NOTICE** This email communication and any 
>> attachments may contain confidential and privileged information for 
>> the sole use of the designated recipient named above. Distribution, 
>> reproduction or any other use of this transmission by any party other 
>> than the intended recipient is prohibited. If you are not the intended 
>> recipient please contact the sender and delete all copies.
>>
>> _______________________________________________
>> MOBY-dev mailing list
>> MOBY-dev at lists.open-bio.org
>> http://lists.open-bio.org/mailman/listinfo/moby-dev
> 
> -------------------------------------------------------------
> Wageningen University and Research centre (WUR)
> Laboratory of Bioinformatics
> Transitorium (building 312) room 1034
> 
> Dreijenlaan 3
> 6703 HA Wageningen
> The Netherlands
> 
> phone:  +31 (0)317-483 060
> mobile: +31 (0)6-143 66 783
> e-mail: pieter.neerincx at gmail.com
> skype:  pieter.online
> -------------------------------------------------------------
> 
> 
> 
> 
> _______________________________________________
> MOBY-dev mailing list
> MOBY-dev at lists.open-bio.org
> http://lists.open-bio.org/mailman/listinfo/moby-dev
> 

-- 
"There is no reason why anybody would want a computer in their home" -
	Ken Olson, founder of DEC 1977
"640K ought to be enough for anybody" - Bill Gates, 1981
"Nobody will ever outgrow a 20Mb hard drive." - ???

"Premature optimization is the root of all evil." - Donald Knuth

José María Fernández González
Tlfn: (+34) 91 732 80 00 / 91 224 69 00 (ext 3061)
e-mail: jmfernandez at cnio.es		Fax: (+34) 91 224 69 76
Unidad del Instituto Nacional de Bioinformática
Biología Estructural y Biocomputación	Structural Biology and Biocomputing
Centro Nacional de Investigaciones Oncológicas
C.P.: 28029				Zip Code: 28029
C/. Melchor Fernández Almagro, 3	Madrid (Spain)

**NOTA DE CONFIDENCIALIDAD** Este correo electrónico, y en su caso los ficheros adjuntos, pueden contener información protegida para el uso exclusivo de su destinatario. Se prohíbe la distribución, reproducción o cualquier otro tipo de transmisión por parte de otra persona que no sea el destinatario. Si usted recibe por error este correo, se ruega comunicarlo al remitente y borrar el mensaje recibido.
**CONFIDENTIALITY NOTICE** This email communication and any attachments may contain confidential and privileged information for the sole use of the designated recipient named above. Distribution, reproduction or any other use of this transmission by any party other than the intended recipient is prohibited. If you are not the intended recipient please contact the sender and delete all copies.

More information about the MOBY-dev mailing list