[Openid-specs-ab] Issue #1846: Add more JSON.Path seucurity considerations in PE (openid/connect)
Kristina Yasuda
issues-reply at bitbucket.org
Mon Mar 6 19:10:42 UTC 2023
New issue 1846: Add more JSON.Path seucurity considerations in PE
https://bitbucket.org/openid/connect/issues/1846/add-more-jsonpath-seucurity-considerations
Kristina Yasuda:
Feedback received from Nikos.
> I am concerned about what can be used as a "filter". For instance [this example](https://identity.foundation/presentation-exchange/spec/v2.0.0/#input-descriptor-extensions) uses a regular expression for the filter pattern. Regular expressions are notorius for enabling DoS attacks \([https://www.usenix.org/system/files/sec21-li-yeting.pdf](https://www.usenix.org/system/files/sec21-li-yeting.pdf)\) But it can get even worse. Speficiation says that the filer can be a "JSON Schema descriptor" I bet that supporting JSON schema as a filter option will create many security risks.
More information about the Openid-specs-ab
mailing list