-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add security considerations about injection attacks #307
Conversation
These variables need to be translated into the form they take in a | ||
JSONPath query, e.g., by escaping string delimiters, or by only | ||
allowing specific constructs such as `.name` to be formed when the | ||
given values allow that. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't understand this point at all.
values (e.g., by entering them into a Web form). | ||
The resulting class of attacks, *injections* (e.g., SQL injections), | ||
is consistently found among the top causes of application security | ||
vulnerabilities and requires particular attention. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be improved by examples?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am reluctant here. Examples might be used as starting point for potential attackers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@goessner I understand your reluctance, but the examples are likely to be simple attacks which anyone with the relevant background (attackers, penetration testers, etc.) would think of immediately.
We wanted to add examples, but maybe we can merge this as is. Marking as ready for review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's get this in and polish it later.
No description provided.