Hi - I have a possible security issue:
My scenario is the following:
- User posts CGI variables into my service
- IS determines service to call dynamically
- IS calls this service and passes pipeline as input to that service
- Dynamically chosen service customizes variables posted by user
Imagine two similarly named variable existed in the pipeline – say, both named “AllowAccess”. Now if the Flow subsequently “wired” the AllowAccess variable to a service input, which of the two AllowAccess variables will bind to the service input at runtime?
A clearPipeline call is of no use here. Since I don’t know which variables the user posts in at runtime, I may be clearing variables required by the dynamically chosen service invoked later on.
This gives rise to a security issue. If the user knew which variables I used in my services, he could rather cleverly posts in a CGI variable called AllowAccess, and set it to “true”.
To work around this, as the first in the pipeline, I will manually drop AllowAccess (as well as other variables used later in the internal control flow of my services).
- How does WM decide which of two or more similarly-named variables to use, to say bind to a service input?
- Is the above precaution adequate? (“dropping” control flow variables)