[x3d-public] Remember to validate/verify encoded files!

John Carlson yottzumm at gmail.com
Wed Nov 16 19:05:01 PST 2022 

Remember to validate your X3D encoded files!   I need to check to see if
x3dom and x_ite have some kind of DOM document validation, JSON can be
validated with Ajv prior to loading.   One should use an appropriate schema
(JSON, XML or other).   X3DJSAIL already has XML validation in
X3DLoaderDOM.java.  X3DJSONLD.java can be used for converting JSON to DOM
documents for validation.

I’m not sure if we have adequate validation for generated binding programs,
use those with care.   Validate XML and JSON inputs!

Use of x3djsonld.py to load JSON should only be for pre-beta code as it is
currently incomplete.  One should validate the JSON prior to loading with
x3djsonld.py.   There are a few  JSON validators written in Python.

I’m hoping to get some official endorsement of this approach.   Perhaps we
should post to an X3D security page.

JSON Schema resources are available @
https://github.com/coderextreme/x3dschema

I have heard that CSV files need to be validated as well!   I don’t quite
get that, except i guess that class and field names can be included in
CSV.  You’ll probably have to include your own schema in a separate file!

Also be aware of Python pickled AI model files containing exploits. I have
a video i can share about that (this requires a time commitment, very
in-depth, but leads in with a good overview).

One should validate both input and output!

As always, be prepared for SQL injection and be aware of other types of
injection.

Validation can be considered domain-specific parsing.  You don’t want
people stepping outside X3D-specific vocabulary.

x3djsonld.cpp should probably not be used at this time in long running
programs, it was intended for quick conversion to XML.  While validation of
input and output is indicated, none is done.   The program itself can be
found in X3DJSONLD.   It should be ready for beta-testing.

John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20221116/f7a605e0/attachment.html>

More information about the x3d-public mailing list