User Space Friendliness ( Security | Syntax Highlighting | Syntax Evaluation )

[cedmos]

Hi @springcomp,

as you suggested I want to pick up here in regard to my Question in Gitter:

Does anyone have information about security concepts when allowing to use JMESpath for users to define some queries that affect how json is mapped?

It'll be executed in a V8 Javascript Engine which does share part of the runtime. So basically escaping from the queries would be assumably not an issue but the data is written back as JSON to a database and I want to somehow limit the scope / context to filter data only (if possible and only if theres a concern about security)

Data is validated with JSON Schema before writing to the database anyway and the user is limited to query (and write) only data that he has access so there it should not be possible to write / read other users stuff.

after you already answered:

As far as I can tell, most implementations are not doing funky dynamic evaluation but are just processing JSON structures.

So there should not be any risks from script injections and such.

Your question targets the JavaScript implementation specifically. I maintain a particular port written in TypeScript which I personnaly vested to use proper typings.

It's not only "generic security" I'm interested, I'm looking for the following Requirements (priority in that order) to be maybe delivered by one framework or library:

1. Frontend / Userspace + Backend
   I want to allow users of a (Web-)App to use a JSON Query Language to "qualify" certain data (which is then also "mapped" to new data, like transformed)
2. Secure Parsing / Safe or Sandboxed Context
   As the resulting data is shared with others it should be secure. Data could contain for example also specification of API-Interfaces etc. so it should not be possible to misuse the querying / transform to "escape" the context of the documents in the collection or change certain parts of the documents that should not be changed
3. Syntax Highlighting / Validation
   For Monaco Editor (maybe done in the JSON Monarch Format they provide) and / or UI / Editor that allows common users to do basic queries like "all documents of type = 'draft' with title contains xy or z and tag in ['pending','in progress']" (sorry it's not in JMESPATH syntax :-D
4. JSON and / or JSON Schema Patching / Transforms
   based on those queries so for example a) create a collection of docs based on one filter b) extract required specs c) create or extend a JSON schema or a JSON (schema based) document with extracted specs

I have or had solutions for each of this implemented or tested (like querying, patching, merging, transforming JSON and JSON-Schemas ) but JMESPATH combined with some JSON-Schema Validator (ajv) looks like one way to provide this based on two established libraries.

Leading to smaller bundle sizes, less dependencies but more important: less steep learning curve for developers and also end users that want to extend the app logic further. Syntax-wise it's also more intuitive than others I evaluated

[springcomp]

Thank you very much for your feedback.

I thinks what you are asking for is a holistic solution under one framework.

I think Jmespath Community is a great place to start discussing those ideas but I would probably advise to split the requirements into different "libraries" or guidelines, each with their own area of responsibility.

I’m having a bit of a difficulty to properly extract the requirements that you shared to actionable items, so please, feel free to elaborate on this.

For point 3. Syntax Highlighting / Validation I think it would be a great idea providing some builtin definitions from this organization. I have toyed with VIM syntax-files and I think a project would be reasonably easy to setup with assets for most popular editors out there.