presentation-exchange The "DSL Question" - is JSON Path cross-platform enough and securable enough to encompass all DSLs beyond PE's inbuilt filters?

The "DSL Question" - is JSON Path cross-platform enough and securable enough to encompass all DSLs beyond PE's inbuilt filters?

Open bumblefudge opened this issue 1 year ago • 0 comments

A list of JSONPath issues in the past point to the possibility that requiring implementers to support/allow "all of" JSONPath without constraints or guidance is a blocker to adoption:

#278 - @ bug (some libraries may not be spec-conformant with JSONPath's IETF spec itself)
#294 - See also OIDC4VC thread on moving to a format-specific DSL rather than using JSONPath as superset
#398 - Description of security issues with JSONPath in a public-facing system
#399 - eval footgun worth warning people about in implementation guide?
#419

General consensus on today's call to seriously consider major changes to the evaluation DSL component of PE in v3, such as:

move to JSONPointer altogether, less dev-friendly but safer/simpler
make a constrained subset of JSONPath required for conformance, with some forms of JSONPath usage moved to a Feature
DSL-agility with JSONPath as "translation layer" (shudder)

Jun 15 '23 18:06 bumblefudge

presentation-exchange presentation-exchange copied to clipboard

The "DSL Question" - is JSON Path cross-platform enough and securable enough to encompass all DSLs beyond PE's inbuilt filters?

presentation-exchange
presentation-exchange copied to clipboard