- changed status to open
Add more JSON.Path seucurity considerations in PE
Issue #1846
resolved
Feedback received from Nikos.
I am concerned about what can be used as a "filter". For instance this example uses a regular expression for the filter pattern. Regular expressions are notorius for enabling DoS attacks (https://www.usenix.org/system/files/sec21-li-yeting.pdf) But it can get even worse. Speficiation says that the filer can be a "JSON Schema descriptor" I bet that supporting JSON schema as a filter option will create many security risks.
Comments (3)
-
-
reporter -
reporter - changed status to resolved
PR merged. might have to keep iterating
- Log in to comment
Valid concern. Had a discussion on March 6/7 call. Will put a summary later.