Attack vector of extracting a regexp from the argument

ietf-wg-jsonpath / draft-ietf-jsonpath-base

Development of a JSONPath internet draft

https://ietf-wg-jsonpath.github.io/draft-ietf-jsonpath-base/

Other

58 stars 20 forks source link

Attack vector of extracting a regexp from the argument #458

Closed glyn closed 1 year ago

glyn commented 1 year ago

@timbray wrote on the mailing list:

I have to confess that the notion of running a match against a regexp which is extracted from the argument makes my skin crawl a little. Feels like an attack vector.

I think this deserves discussion in an issue.

cabo commented 1 year ago

I'm not sure how this is a much more viable attack vector than putting in the same string in the query. Of course, we'd need to discuss which parts are controlled by whom here. But, in the end, iregexps are much less attackable than general PCRE or JavaScript regexes, so we are already on the safe side.

timbray commented 1 year ago

On reflection, I think this is a false alarm, as Carsten says it's not worse. Closing.