JSON-LD allows terms with the form of IRI or Compact IRI to be defined which expand to other IRIs from Gregg Kellogg on 2019-04-23 (public-rdf-comments@w3.org from April 2019)

From: Gregg Kellogg <gregg@greggkellogg.net>
Date: Tue, 23 Apr 2019 12:07:12 -0700
To: public-rdf-comments Comments <public-rdf-comments@w3.org>
Cc: W3C JSON-LD Working Group <public-json-ld-wg@w3.org>
Message-Id: <505E519E-5235-4E30-B8B0-2D642239E64E@greggkellogg.net>

As a possible attack vector, JSON-LD allows terms to be defined which would naturally expand to an IRI consistent with their expansion, but with behavior that can be overridden using @id.

For example, consider the following input:

{
  "@context": {
    "schema": "http://schema.org/",
    "foaf": "http://xmlns.com/foaf/0.1/",
    "foaf:name": {"@id": "schema:name"},
    "http://xmlns.com/foaf/0.1/Person": {"@id": "schema:Person"}
  },
  "@type": "http://xmlns.com/foaf/0.1/Person",
  "foaf:name": "Danbri”
}

Note how the term “foaf:name” expands to “http://schema.org/name”, and even the IRI "http://xmlns.com/foaf/0.1/Person” can be defined to be “http://schema.org/Person” (of course, more harmful definitions are also possible).

This should be rectified retroactively in JSON-LD 1.1 to disallow terms with the form of an IRI or Compact IRI (which includes relative IRIs) to be defined to expand to anything other than the IRI they would normally expand to. Terms of the form of an Absolute IRI should be disallowed altogether, as the fallback for selecting a property which does not match the definition of a term (say, where the value is a language-tagged string, and the term defines something of type xsd:integer) is to compact using the absolute IRI.

See https://github.com/w3c/json-ld-syntax/issues/155.

Gregg Kellogg
gregg@greggkellogg.net

Received on Tuesday, 23 April 2019 19:07:41 UTC