W3C home > Mailing lists > Public > public-rdf-comments@w3.org > April 2019

JSON-LD allows terms with the form of IRI or Compact IRI to be defined which expand to other IRIs

From: Gregg Kellogg <gregg@greggkellogg.net>
Date: Tue, 23 Apr 2019 12:07:12 -0700
Message-Id: <505E519E-5235-4E30-B8B0-2D642239E64E@greggkellogg.net>
Cc: W3C JSON-LD Working Group <public-json-ld-wg@w3.org>
To: public-rdf-comments Comments <public-rdf-comments@w3.org>
As a possible attack vector, JSON-LD allows terms to be defined which would naturally expand to an IRI consistent with their expansion, but with behavior that can be overridden using @id.

For example, consider the following input:

{
  "@context": {
    "schema": "http://schema.org/",
    "foaf": "http://xmlns.com/foaf/0.1/",
    "foaf:name": {"@id": "schema:name"},
    "http://xmlns.com/foaf/0.1/Person": {"@id": "schema:Person"}
  },
  "@type": "http://xmlns.com/foaf/0.1/Person",
  "foaf:name": "Danbri”
}

Note how the term “foaf:name” expands to “http://schema.org/name”, and even the IRI "http://xmlns.com/foaf/0.1/Person” can be defined to be “http://schema.org/Person” (of course, more harmful definitions are also possible).

This should be rectified retroactively in JSON-LD 1.1 to disallow terms with the form of an IRI or Compact IRI (which includes relative IRIs) to be defined to expand to anything other than the IRI they would normally expand to. Terms of the form of an Absolute IRI should be disallowed altogether, as the fallback for selecting a property which does not match the definition of a term (say, where the value is a language-tagged string, and the term defines something of type xsd:integer) is to compact using the absolute IRI.

See https://github.com/w3c/json-ld-syntax/issues/155.

Gregg Kellogg
gregg@greggkellogg.net
Received on Tuesday, 23 April 2019 19:07:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:59:52 UTC