Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFC-2397 URLs in Attachment Fields #1118

Open
drcrallen opened this issue Dec 28, 2023 · 1 comment
Open

RFC-2397 URLs in Attachment Fields #1118

drcrallen opened this issue Dec 28, 2023 · 1 comment

Comments

@drcrallen
Copy link

The following is a xAPI json blob that validates just fine in https://lrs.adlnet.gov/statementvalidator .

{
    "actor": {
        "account": {
            "homePage": "https://some.site.com",
            "name": "7565a82f-28cf-40f5-9c77-3385b66f2fe6"
        },
        "objectType": "Agent"
    },
    "attachments": [
        {
            "contentType": "text/plain;charset=utf-8",
            "description": {
                "en-US": "The dialog of the conversation"
            },
            "display": {
                "en-US": "Dialog"
            },
            "fileUrl": "data:text/plain;charset=utf-8;base64,CiNQIzogV2hhdCdzIHVwLCBteSBmcmllbmQ/IEhvdydzIGl0IGdvaW5nPwojQSM6IEhleSB0aGVyZSEgVGhpbmdzIGFyZSBnb2luZyBncmVhdCBvbiBteSBlbmQuIEhvdyBhYm91dCB5b3U/",
            "length": 108,
            "sha2": "3a93e01587188069c0ac766114159a1e2e4d669c1cf8739ebeae646b15f51a9d",
            "usageType": "http://id.tincanapi.com/attachment/supporting_media"
        }
    ],
    "authority": {
        "account": {
            "homePage": "https://some.site.com",
            "name": "[email protected]"
        },
        "objectType": "Agent"
    },
    "context": {
        "registration": "7565a82f-28cf-40f5-9c77-3385b66f2fe6",
        "revision": "2023-12-13T02:05:35.025Z"
    },
    "id": "05b7935b-de5f-4ae5-9d6d-37441fea71a5",
    "object": {
        "definition": {
            "description": {
                "en-US": "Some kind of description with a kind of long text."
            },
            "extensions": {},
            "name": {
                "en-US": "Introduction"
            },
            "type": "http://adlnet.gov/expapi/activities/simulation"
        },
        "id": "https://some.site.com/workshops/5fafc6e9-a703-438c-bf7f-ccebd0d6a43f",
        "objectType": "Activity"
    },
    "result": {
        "completion": true,
        "duration": "PT18S",
        "score": {
            "scaled": 0.2
        }
    },
    "timestamp": "2023-12-14T04:01:14.315Z",
    "verb": {
        "display": {
            "en-US": "scored"
        },
        "id": "http://adlnet.gov/expapi/verbs/scored"
    },
    "version": "1.0.0"
}

This is specifically of note because you can put full documents in the IRL attachment field. The following javascript code will parse the field in a way that is expected, and makes it indistinguishable for most systems that blindly pass through the fileUrl value into a javascript Fetch statement.

crazyUrl="data:text/plain;charset=utf-8;base64,CiNQIzogV2hhdCdzIHVwLCBteSBmcmllbmQ/IEhvdydzIGl0IGdvaW5nPwojQSM6IEhleSB0aGVyZSEgVGhpbmdzIGFyZSBnb2luZyBncmVhdCBvbiBteSBlbmQuIEhvdyBhYm91dCB5b3U/";
fetch(crazyUrl).then((response) =>response.blob()).then((blob) => blob.text()).then((value) => console.log(value));
import datauri
crazyUrl="data:text/plain;charset=utf-8;base64,CiNQIzogV2hhdCdzIHVwLCBteSBmcmllbmQ/IEhvdydzIGl0IGdvaW5nPwojQSM6IEhleSB0aGVyZSEgVGhpbmdzIGFyZSBnb2luZyBncmVhdCBvbiBteSBlbmQuIEhvdyBhYm91dCB5b3U/"
d = datauri.parse(crazyUrl)
print(d.data.decode('utf-8'))

You can even run the above in your debugging tools. What I cannot really tell is if this actually violates the spec. "data" is a valid scheme and works transparently in javascript, and with some minor special handling in python as long as the library is setup to parse the standard. Is it a violation of the spec to include a RFC-2397 compliant blob of data in the Attachment's fileUrl field?

If not that seems like a way to accidentally blow up storage expectations on servers recording the xapi entries.

@thomasturrell
Copy link
Contributor

You raise an interesting point. The spec does not prevent an LRS from rejecting statements that it considers too large.

From the spec:

None of these requirements contradict the idea that the LRS is also allowed to be configurable to reject requests and respond or behave differently on the basis of conditions that are out of scope this specification.

It might be worth reading issue #1088 the response from @brianjmiller is particularly useful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants