Skip to content

IRIs are terms can be misdefined #155

New issue
New issue
Closed
Closed
IRIs are terms can be misdefined#155
Assignees
gkellogg
Labels
propose closingsatisfiedRequirement Satisfiedsecurity-trackerGroup bringing to attention of security, or tracked by the security Group but not needing response.spec:bugspec:enhancementspec:substantive
@gkellogg

Description

@gkellogg
gkellogg
opened on Mar 29, 2019

JSON-LD provided no real limits on what can be defined as term. In fact, it's possible to define either a Compact IRI or an absolute IRI as a term which maps to something completely different, which is likely a security problem.

This needs to be fixed in JSON-LD 1.1 and marked as an errata for JSON-LD 1.0.

Consider the following document:

{
  "@context": {
    "schema": "http://schema.org/",
    "foaf": "http://xmlns.com/foaf/0.1/",
    "foaf:name": {"@id": "schema:name"},
    "http://xmlns.com/foaf/0.1/Person": {"@id": "schema:Person"}
  },
  "@type": "http://xmlns.com/foaf/0.1/Person",
  "foaf:name": "Danbri"
}

This actually expands to the following:

[
  {
    "@type": [
      "http://schema.org/Person"
    ],
    "http://schema.org/name": [
      {
        "@value": "Danbri"
      }
    ]
  }
]

The syntax document needs to place restrictions on terms which are compact IRI or absolute IRIs that they either do not include @id in their definition, or that it expand to the same IRI as if there was no @id present. A term looking like a compact IRI without a corresponding prefix definition would be treated as an absolute IRI.

Moreover, context processing should reject any term which looks like an absolute IRI (e.g., http://xmlns.com/foaf/0.1/Person above), as it opens another corner-case when compacting and no term is available to match the value to be compacted, which falls back to use the absolute IRI, but if that's defined as a term, it will be incorrect.

Given the following input document:

{
  "@context": {
    "schema": "http://schema.org/",
    "foaf": "http://xmlns.com/foaf/0.1/"
  },
  "@type": "http://xmlns.com/foaf/0.1/Person",
  "foaf:name": "Danbri"
}

and the following context:

{
  "@context": {
    "schema": "http://schema.org/",
    "foaf": "http://xmlns.com/foaf/0.1/",
    "foaf:name": {"@language": "de"},
    "http://xmlns.com/foaf/0.1/name": {"@language": "en"}
  },
  "@type": "http://xmlns.com/foaf/0.1/Person",
  "foaf:name": "Danbri"
}

The result will be

{
  "@context": {
    "schema": "http://schema.org/",
    "foaf": "http://xmlns.com/foaf/0.1/",
    "foaf:name": {
      "@language": "de"
    },
    "http://xmlns.com/foaf/0.1/name": {
      "@language": "en"
    }
  },
  "@type": "foaf:Person",
  "http://xmlns.com/foaf/0.1/name": "Danbri"
}

But, as "http://xmlns.com/foaf/0.1/name is defined to have @language: en, expanding this won't get back to the original, it will add @language: en to the "Danbri" value object.

[
  {
    "@type": [
      "http://xmlns.com/foaf/0.1/Person"
    ],
    "http://xmlns.com/foaf/0.1/name": [
      {
        "@language": "en",
        "@value": "Danbri"
      }
    ]
  }
]

Metadata

Metadata

Assignees

Labels

propose closingsatisfiedRequirement Satisfiedsecurity-trackerGroup bringing to attention of security, or tracked by the security Group but not needing response.spec:bugspec:enhancementspec:substantive

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions