JSON.Path Security Considerations

Comments (4)

Kristina Yasuda reporter

2023-02-05T03:04:46+00:00

Nat Sakimura

Copying the suggested text in PR 443 here. for transparency purposes.

+Implementers MUST make sure that JSONpath used as part of `presentation_definition` and `presentation_submission` parameters cannot be used to execute arbitrary scripts on a server. For example, by implementing the entire syntax of the query without relying on the parsers of programming language engine. For details, see Section 4 of [@jsonpath-base].

It would be good if it can suggest how to test that this requirement actually has been correctly implemented.

2023-02-06T23:59:53+00:00

Kristina Yasuda reporter

DW suggested asking on IETF ML (JSON.Path list).

2023-02-09T16:59:37+00:00

Kristina Yasuda reporter

changed status to resolved

PR merged

2023-03-01T06:45:24+00:00

Kristina Yasuda reporter
PR #443
- 2023-02-05T03:04:46+00:00
Nat Sakimura
Copying the suggested text in PR 443 here. for transparency purposes.

+Implementers MUST make sure that JSONpath used as part of `presentation_definition` and `presentation_submission` parameters cannot be used to execute arbitrary scripts on a server. For example, by implementing the entire syntax of the query without relying on the parsers of programming language engine. For details, see Section 4 of [@jsonpath-base].

It would be good if it can suggest how to test that this requirement actually has been correctly implemented.
- 2023-02-06T23:59:53+00:00
Kristina Yasuda reporter
DW suggested asking on IETF ML (JSON.Path list).
- 2023-02-09T16:59:37+00:00
Kristina Yasuda reporter
- changed status to resolved
PR merged
- 2023-03-01T06:45:24+00:00
Log in to comment