Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warn of the dangers of malicious text #262

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Warn of the dangers of malicious text #262

wants to merge 1 commit into from

Conversation

danielfett
Copy link
Member

Fixes #259

@danielfett danielfett requested review from awoie and bc-pi as code owners October 8, 2024 17:58
@danielfett danielfett mentioned this pull request Oct 8, 2024
Open
@danielfett
Copy link
Member Author

Applies to claims as well (everything, really).

JSON Schema might be malicious as well (e.g., via a regex).

@bc-pi
Copy link
Collaborator

bc-pi commented Oct 8, 2024

the rat hole is deep ...

awoie
awoie requested changes Nov 28, 2024
View reviewed changes
Copy link
Collaborator

@awoie awoie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @bc-pi that the rat hole is very deep and we should probably refrain from scratching the surface only.

@awoie awoie added the discuss Discuss label Nov 28, 2024
@bc-pi
Copy link
Collaborator

bc-pi commented Dec 2, 2024

I agree with @bc-pi that the rat hole is very deep and we should probably refrain from scratching the surface only.

Or be sufficently clear that we are just scratching the surface and not even trying to be comprehensive.

awoie
awoie reviewed Dec 3, 2024
View reviewed changes
draft-ietf-oauth-sd-jwt-vc.md
Comment on lines +1095 to +1110
## Risks Associated with Displaying Textual Information {#risks-displaying-textual-information}

The `display` property in the Type Metadata allows providers of metadata to
specify human-readable labels and descriptions for claims. Likewise, `name` and
`description` can contain arbitrary textual information that may be displayed to
developers. As such, any consuming application MUST ensure that maliciously
crafted information cannot be used to compromise the security of the application
or the privacy of the user. To this end, the following considerations apply:

- The consuming application MUST ensure that the text is properly escaped before
displaying it to the user or transferring it into other contexts. For example,
if the data is displayed in an HTML document, the text MUST be properly
escaped to prevent Cross-Site Scripting (XSS) attacks.
- The consuming application MUST ensure that the display of the user interface
elements cannot be distorted by overly long text or special characters.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## Risks Associated with Displaying Textual Information {#risks-displaying-textual-information}
The `display` property in the Type Metadata allows providers of metadata to
specify human-readable labels and descriptions for claims. Likewise, `name` and
`description` can contain arbitrary textual information that may be displayed to
developers. As such, any consuming application MUST ensure that maliciously
crafted information cannot be used to compromise the security of the application
or the privacy of the user. To this end, the following considerations apply:
- The consuming application MUST ensure that the text is properly escaped before
displaying it to the user or transferring it into other contexts. For example,
if the data is displayed in an HTML document, the text MUST be properly
escaped to prevent Cross-Site Scripting (XSS) attacks.
- The consuming application MUST ensure that the display of the user interface
elements cannot be distorted by overly long text or special characters.
## Risks Associated with Textual Information {#risks-textual-information}
Some claims in the SD-JWT VC and properties in the Type Metadata, e.g., `display`, allows issuers and providers of metadata to
specify human-readable information. These can contain arbitrary textual information that
may be displayed to developers. As such, any consuming application MUST ensure that maliciously
crafted information cannot be used to compromise the security of the application
or the privacy of the user. To this end, the following considerations apply:
- The consuming application MUST ensure that the text is properly escaped before
displaying it to the user or transferring it into other contexts. For example,
if the data is displayed in an HTML document, the text MUST be properly
escaped to prevent Cross-Site Scripting (XSS) attacks.
- The consuming application MUST ensure that the display of the user interface
elements cannot be distorted by overly long text or special characters.

@awoie
Copy link
Collaborator

awoie commented Dec 3, 2024

I agree with @bc-pi that the rat hole is very deep and we should probably refrain from scratching the surface only.

Or be sufficently clear that we are just scratching the surface and not even trying to be comprehensive.

I tried to make suggestions to this PR to make it more general. This would be another option.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@awoie awoie awoie requested changes

@Sakurann Sakurann Sakurann approved these changes

@bc-pi bc-pi Awaiting requested review from bc-pi bc-pi is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
discuss Discuss
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Free text in description.
4 participants
@danielfett @bc-pi @awoie @Sakurann