On Mon, Nov 7, 2022, at 00:19, Shawn Emery via Datatracker wrote:
Reviewer: Shawn EmeryReview result: Has Nits
Hi Shawn, thanks for your review!
This proposed standards draft specifies an extension to the JSON MetaApplication Protocol (JMAP). Specifically this draft defines an extension forcreating, identifying, and retrieving "blobs" of data without the need ofutilizing separate roundtrips.The security considerations section does exist and refers to various ways tomitigate against attacks related to unsupported data types, unauthorized accesscontrol, blob existence leaks, mismatch between data type and data, and thefragmentation of data to bypass scanner checks. I concur with the set ofpossible attacks on this extension, though I do have one question on thissentence:The server SHOULD NOT reject data on the grounds that it is not a validspecimen of the stated type.Is there ever a case that one implementation accepts the data that does notmatch the specified type and then another implementation assumes that the datais that of the specified type? If this is the case then this could lead tovulnerabilities while parsing said data.
The type information isn't stored with the blob, so - you only know the type if it's passed. The idea behind the blob store in JMAP is that it's just octets with no associated meaning.
I would be happy to change this to MUST NOT reject data.
The security consideration section should also initially state somethingsimilar to that of RFC 8621:All security considerations of JMAP [RFC8620] apply to thisspecification. Additional considerations specific to the data typesand functionality introduced by this document are described [below].
I will add this.
General Comments:Thank you for the variety of examples, though it would have been easier to readthem if the request and response were in sequence rather than trying toremember which response went to which request or by scrolling up and down a fewpages to correlate the two.
Unfortunately that's not possible with JMAP, since it's a batch protocol, and the examples are written as batches since that's how they would be used in practice.
I'm not for sure I understand the purpose of the Blob/get:properties:digestfunction. Won't the endpoints be able to do this over the datafield forthemselves?
The idea is that a client with a partial download of a blob is able to calculate the digest of the section it has, and ask the server to verify that it's not corrupted by calculating a digest over the same range.
Editorial Comments:s/of of/of/s/supportedDigestAlgorithms/supportedDigestAlgorithms:/s/in future/in the future/
I believe the last of those is legitimate usage either with OR without the "the", but I'm happy to add it.
Have made these three edits.
All the changes from your review are in -16. I have left the content type checking as SHOULD NOT.
Thanks,
Bron.
--
Bron Gondwana, CEO, Fastmail Pty Ltd
brong@xxxxxxxxxxxxxxxx
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
