Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

inrupt.com does not accept application/ld+json #1389

Open
scenaristeur opened this issue Dec 20, 2021 · 8 comments
Open

inrupt.com does not accept application/ld+json #1389

scenaristeur opened this issue Dec 20, 2021 · 8 comments
Labels
bug Something isn't working Triaged This means that we've a ticket to look at this in the future

Comments

@scenaristeur
Copy link

scenaristeur commented Dec 20, 2021

inrupt.com does not accept application/json+ld as mimetype, only application/json

shouldn't Entreprise inrupt server accept application/json+ld ?

      try{
        const savedFile = await overwriteFile(
          n['ve:url'],
          new Blob([JSON.stringify(n, undefined, 2)], { type: "application/json" }),
          { contentType: "application/json", fetch: sc.fetch }
          // new Blob([JSON.stringify(n, undefined, 2)], { type: "application/ld+json" }),
          // { contentType: "application/ld+json", fetch: sc.fetch }
        );
        console.log(`File saved at ${getSourceUrl(savedFile)}`);
        //n.url = await getSourceUrl(savedFile)
        //  store.dispatch('nodes/saveNode', n)
        return n
      }catch(e){
        console.log(e)
      }

the app https://scenaristeur.github.io/verse/
the code https://github.com/scenaristeur/verse/blob/e2e7f4c895d62222d33eee6d05e6033c2c96e36c/src/plugins/solid-data.js#L55

Capture du 2021-12-20 10-06-37
Capture du 2021-12-20 10-05-55

@scenaristeur scenaristeur added the bug Something isn't working label Dec 20, 2021
@acoburn
Copy link
Contributor

acoburn commented Dec 20, 2021

The mime-type application/json+ld is not valid. Perhaps you mean application/ld+json?

@scenaristeur scenaristeur changed the title inrupt.com does not accept application/json+ld inrupt.com does not accept application/ld+json Dec 20, 2021
@scenaristeur
Copy link
Author

scenaristeur commented Dec 20, 2021

@acoburn sorry a miss-copy. i've got ld+json in the code, fixed in the issue

@acoburn
Copy link
Contributor

acoburn commented Dec 20, 2021

@scenaristeur the server may not support arbitrary external contexts. If you must use JSON-LD for writes, try embedding the context in the data payload.

@scenaristeur
Copy link
Author

is there a list of compatible / not arbitrary external contexts ?

@ThisIsMissEm
Copy link
Contributor

@acoburn I just saw this, and, I'm wondering why ESS would care about the contentType of a file? (i.e., arbitrary blob of data) — the code above is using overwriteFile

@acoburn
Copy link
Contributor

acoburn commented Mar 2, 2022

In order to support content negotiation (per Solid protocol) for RDF resources, if a client uploads a JSON-LD document and then tries to content negotiate the representation as Turtle, the server necessarily has to download the (arbitrary) context URL.

A client forcing a server to download arbitrary resources on the web is a classic example of Server Side Request Forgery. Without any sort of allow list of the remote context documents, you can use your imagination for the kinds of exploits that are possible here.

@ThisIsMissEm
Copy link
Contributor

In order to support content negotiation (per Solid protocol) for RDF resources, if a client uploads a JSON-LD document and then tries to content negotiate the representation as Turtle, the server necessarily has to download the (arbitrary) context URL.

A client forcing a server to download arbitrary resources on the web is a classic example of Server Side Request Forgery. Without any sort of allow list of the remote context documents, you can use your imagination for the kinds of exploits that are possible here.

Right, but here we're working with a File not a Resource. Though I've just checked the spec and it doesn't seem to differentiate, though our SDK definitely does.

if I upload a File that's an image/png, would it make sense that you would content-negotiate it to turtle? That seems like it'd be asking for trouble?

@acoburn
Copy link
Contributor

acoburn commented Mar 3, 2022

JSON-LD is an RDF resource. Unless you are uploading that with Content-Type: text/plain or Content-Type: application/octet-stream, that resource will be treated as RDF. Therefore, a client can content negotiate it. This is unrelated to PNGs.

The client may distinguish between Files and Resources, but from a server's perspective, there are two indicators: HTTP Method (e.g., PUT) and Content-Type (e.g., application/ld+json). Given a PUT with application/ld+json, it's an RDF resource, regardless of what the SDK may think it is.

@ThisIsMissEm ThisIsMissEm added the Triaged This means that we've a ticket to look at this in the future label May 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working Triaged This means that we've a ticket to look at this in the future
Projects
None yet
Development

No branches or pull requests

3 participants