JSON.Path Security Considerations
add a text that implementers must not support arbitrary scripting (+ potentially a discussion on potential risks). More context here: JSONpath is a security issue · Issue #398 · decentralized-identity/presentation-exchange (github.com)
Comments (4)
-
reporter -
Copying the suggested text in PR 443 here. for transparency purposes.
+Implementers MUST make sure that JSONpath used as part of `presentation_definition` and `presentation_submission` parameters cannot be used to execute arbitrary scripts on a server. For example, by implementing the entire syntax of the query without relying on the parsers of programming language engine. For details, see Section 4 of [@jsonpath-base].
It would be good if it can suggest how to test that this requirement actually has been correctly implemented.
-
reporter DW suggested asking on IETF ML (JSON.Path list).
-
reporter - changed status to resolved
PR merged
- Log in to comment
PR #443