OpenID4VP icon indicating copy to clipboard operation
OpenID4VP copied to clipboard
verified publisher icon openid

Security Checks on the DCQL Query

Open simoneonofri opened this issue 6 months ago • 5 comments

During the security analysis of the Digital Credentials API, we identified an issue with using a query language in protocols.

The use of a query language such as DCQL generates a potential vulnerability in terms of injection, as defined by CWE-943:

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query

It is therefore important to indicate in the Security Considerations section or warn the issue to the implementers.

Thanks,

Simone

simoneonofri avatar Jun 25 '25 21:06 simoneonofri

Discussed on yesterday's WG call. We think it would be good to include something about verifiers being careful to form json correctly (particularly in the case where they are, e.g., doing value matching based on potentially untrusted input values), and also to warn wallets to reject invalid json (e.g. enabling 'strict' mode in any json parser if it has such) and possibly to ensure that they only have one component that parses DCQL to avoid inconsistencies if slightly invalid DCQL was parsed differently in different components - so (as noted in some of the above comments) we think we need updates to the text before we can merge this.

jogu avatar Jul 04 '25 07:07 jogu

Discussed on yesterday's WG call. We think it would be good to include something about verifiers being careful to form json correctly (particularly in the case where they are, e.g., doing value matching based on potentially untrusted input values), and also to warn wallets to reject invalid json (e.g. enabling 'strict' mode in any json parser if it has such) and possibly to ensure that they only have one component that parses DCQL to avoid inconsistencies if slightly invalid DCQL was parsed differently in different components - so (as noted in some of the above comments) we think we need updates to the text before we can merge this.

Thank you @jogu! Do you want me to work on the PR text?

simoneonofri avatar Jul 07 '25 07:07 simoneonofri

Thank you @jogu! Do you want me to work on the PR text?

@simoneonofri sure, if you have some ideas on how to address the feedback please feel free to update the PR!

jogu avatar Jul 08 '25 09:07 jogu

@simoneonofri could you please sign IPR for DCP WG (which is a pre-requisite to merging PRs by a contributor)? I don't think we currently have it on file neither for W3C or you as an individual.

Sakurann avatar Aug 21 '25 14:08 Sakurann

WG discussion: @simoneonofri could you please generalize this security consideration applies to the RP request JSON itself and not just the DCQL query?

Sakurann avatar Nov 20 '25 16:11 Sakurann