Wrong use of `pattern` in examples
Closed this issue · 1 comments
Looking at the current editor's draft, it seems that the JSON schema pattern
feature is used in a wrong way in most of the examples.
pattern
always represents a regular expression, not a static string match. There's also no implicit anchoring.
That means that, for example, the definition
"id": {
"type": "string",
"pattern": "https://bank-standards.example.com#accounts"
}
matches the string https://bank-standards.example.com#accounts
but also https://bank-standardsxexample.com#accounts
(different domain) and https://bank-standards.example.com#accountsAndWhatNot
(substring matching).
The definition
"pattern": "did:example:123|did:example:456"
matches the string xdid:example:123x
.
A demo of these problems in JSON schema can be found here.
This is a potential security issue.
Regular expressions need to be anchored explitly (using $
and ^
) and any special characters need to be escaped properly. const
should be used where pattern
is not required.
Discussed on a DIF call:
@danielfett very reasonable concern. We discussed as a group and see two areas of improvement:
- Fix the examples
- Mention syntax related standard JSONSchema regex syntax: to https://json-schema.org/understanding-json-schema/reference/regular_expressions.html
To address by 2.1.