Wrong use of `pattern` in examples
Closed this issue · 1 comments
Looking at the current editor's draft, it seems that the JSON schema pattern feature is used in a wrong way in most of the examples.
pattern always represents a regular expression, not a static string match. There's also no implicit anchoring.
That means that, for example, the definition
"id": {
"type": "string",
"pattern": "https://bank-standards.example.com#accounts"
}
matches the string https://bank-standards.example.com#accounts but also https://bank-standardsxexample.com#accounts (different domain) and https://bank-standards.example.com#accountsAndWhatNot (substring matching).
The definition
"pattern": "did:example:123|did:example:456"
matches the string xdid:example:123x.
A demo of these problems in JSON schema can be found here.
This is a potential security issue.
Regular expressions need to be anchored explitly (using $ and ^) and any special characters need to be escaped properly. const should be used where pattern is not required.
Discussed on a DIF call:
@danielfett very reasonable concern. We discussed as a group and see two areas of improvement:
- Fix the examples
- Mention syntax related standard JSONSchema regex syntax: to https://json-schema.org/understanding-json-schema/reference/regular_expressions.html
To address by 2.1.