Security considerations on untrusted input#748
Conversation
|
|
||
| ## Parsing of untrusted inputs | ||
|
|
||
| Wallets MUST treat all incoming requests as untrusted input. To mitigate injection and resource exhaustion attacks, Wallets MUST implement input validation on the Authorization Request and its enclosed DCQL query. |
There was a problem hiding this comment.
Is there a schema definition available for the authorization request and DCQL query?
There was a problem hiding this comment.
I wouldn't say strict schema, but we are defining the structures in the specification of both
There was a problem hiding this comment.
Discussed this Q on today's APAC WG call. Leaving it for the larger group to discuss tomorrow:
- Do we think JSON schemas can be useful here?
If there are no objections:
2) Do we think it's a 1.1 or 1.2 feature?
There was a problem hiding this comment.
Thu wg discussion:
- no support to define JSON Schema: versioning, it is not standardized, security concerns for remote code execution, etc.
text below might be tweaked better but reads good to strike the balance
- Enforce input validation: Verify that the Authorization Request and DCQL query contain no malformed properties. Unknown parameters MUST be ignored.
There was a problem hiding this comment.
Is there a schema definition available for the authorization request and DCQL query?
There's an (not officially working group endorsed, and not complete as it specialises for mdoc/sd-jwt vc) JSON schema for DCQL query available here: https://gitlab.com/openid/conformance-suite/-/tree/master/src/main/resources/json-schemas/oid4vp?ref_type=heads
Note that it's overly strict (rejects unknown properties, whereas spec requires them to be ignored) as we flag unknown properties in the conformance tests, as it tends to surface typos & misunderstandings of the spec.
|
|
||
| ## Parsing of untrusted inputs | ||
|
|
||
| Wallets MUST treat all incoming requests as untrusted input. To mitigate injection and resource exhaustion attacks, Wallets MUST implement input validation on the Authorization Request and its enclosed DCQL query. |
There was a problem hiding this comment.
Should we mention the response for direct_post requests?
Co-authored-by: Paul Bastian <paul.bastian@posteo.de>
Co-authored-by: Rajvardhan S Deshmukh (he/him) <17696886+deshmukhrajvardhan@users.noreply.github.com>
Fixes the concerns raised in #647 and broadens the scope to untrusted JSON input
Should this also go in 1.0?