check for currently unsafe json-ld constructs

(cherry picked from commit 67d73f74ac) 45460e99 check for currently unsafe constructs 5ebb8546 move the jsonld unsafe keys check up a little so that it will actually terminate if positive. 363e2ab5 fix invalid json b2362c8c only expand and check jsonld if verifying d21ac6ef jsonld: refactor and hard fail on normalisation or expansion error 2e64496e Merge branch 'dev' into json-ld c0918861 revert always hard fail Co-authored-by: Mario <mario@mariovavti.com>
2026-06-20 16:50:41 -04:00 · 2026-05-18 19:05:16 +00:00
parent 99fd2e1cb9
commit 519b52ccdc
2 changed files with 47 additions and 10 deletions
--- a/Zotlabs/Lib/LDSignatures.php
+++ b/Zotlabs/Lib/LDSignatures.php
@@ -8,9 +8,10 @@ class LDSignatures {


 	static function verify($data,$pubkey) {
+		$expand_and_check_unsafe = true;

-		$ohash = self::hash(self::signable_options($data['signature']));
-		$dhash = self::hash(self::signable_data($data));
+		$ohash = self::hash(self::signable_options($data['signature']), $expand_and_check_unsafe);
+		$dhash = self::hash(self::signable_data($data), $expand_and_check_unsafe);

 		$x = Crypto::verify($ohash . $dhash,base64_decode($data['signature']['signatureValue']), $pubkey);
 		logger('LD-verify: ' . intval($x));
@@ -74,11 +75,11 @@ class LDSignatures {
 		return json_encode($newopts,JSON_UNESCAPED_SLASHES);
 	}

-	static function hash($obj) {
-		return hash('sha256', self::normalise($obj));
+	static function hash($obj, $expand_and_check_unsafe = false) {
+		return hash('sha256', self::normalise($obj, $expand_and_check_unsafe));
 	}

-	static function normalise($data) {
+	static function normalise($data, $expand_and_check_unsafe) {
 		$ret = '';

 		if(is_string($data)) {
@@ -90,6 +91,15 @@ class LDSignatures {

 		jsonld_set_document_loader('jsonld_document_loader');

+		if ($expand_and_check_unsafe) {
+			$expanded = jsonld_expand($data);
+
+			if (self::contains_unsafe_keys($expanded)) {
+				logger('contains_unsafe_keys: ' . print_r($data,true));
+				throw new \Exception('json-ld graph modification operation detected');
+			}
+		}
+
 		try {
 			$ret = jsonld_normalize($data,[ 'algorithm' => 'URDNA2015', 'format' => 'application/nquads' ]);
 		}
@@ -132,6 +142,33 @@ class LDSignatures {

 	}

+	static function contains_unsafe_keys(array|object $data, int $depth = 0): bool
+	{
+		if ($depth > 64) {
+			return true;
+		}

+		$unsafe_keys = ['@graph', '@included', '@reverse'];
+
+		if (is_object($data)) {
+			$data = (array) $data;
+		}
+
+		if (is_array($data)) {
+			foreach ($data as $key => $value) {
+				if (in_array($key, $unsafe_keys)) {
+					return true;
+				}
+
+				if (is_array($value) || is_object($value)) {
+					if (self::contains_unsafe_keys($value, $depth + 1)) {
+						return true;
+					}
+				}
+			}
+		}
+
+		return false;
+	}

 }
--- a/library/w3org/security-data-integrity-v1.jsonld
+++ b/library/w3org/security-data-integrity-v1.jsonld
@@ -4,7 +4,7 @@
    "type": "@type",
    "proof": {
      "@id": "https://w3id.org/security#proof",
-      "@type": "@id",
+      "@type": "@id"
    },
    "DataIntegrityProof": {
      "@id": "https://w3id.org/security#DataIntegrityProof"
@@ -35,19 +35,19 @@
    },
    "assertionMethod": {
      "@id": "https://w3id.org/security#assertionMethod",
-      "@type": "@id",
+      "@type": "@id"
    },
    "authentication": {
      "@id": "https://w3id.org/security#authenticationMethod",
-      "@type": "@id",
+      "@type": "@id"
    },
    "capabilityInvocation": {
      "@id": "https://w3id.org/security#capabilityInvocationMethod",
-      "@type": "@id",
+      "@type": "@id"
    },
    "capabilityDelegation": {
      "@id": "https://w3id.org/security#capabilityDelegationMethod",
-      "@type": "@id",
+      "@type": "@id"
    },
    "keyAgreement": {
      "@id": "https://w3id.org/security#keyAgreementMethod",