Summary
The SPIFFE ID specification (§2) restricts path segment characters to `[a-zA-Z0-9.-_]`. ZeroID does not validate `external_id` (and other path-contributing fields such as `account_id`, `project_id`, `identity_type`) against this character set before embedding them in the SPIFFE URI. A caller can register an identity with a `/`, `@`, space, or other forbidden character, producing a malformed SPIFFE ID that violates the spec.
Location
Identity registration / SPIFFE URI construction — wherever `spiffe://{domain}/{account_id}/{project_id}/{identity_type}/{external_id}` is assembled.
Impact
- Malformed SPIFFE IDs cannot be parsed or validated by conformant SPIFFE libraries.
- Path traversal-style values (e.g. `external_id = "../admin"`) could cause unexpected trust-domain matching.
Fix
Add input validation at registration time rejecting any field that will appear in the SPIFFE URI path if it contains characters outside `[a-zA-Z0-9.-_]`.
Reference
- SPIFFE spec §2.3: "Path … may include any combination of the following characters: `[a-zA-Z0-9.-_]`"
Summary
The SPIFFE ID specification (§2) restricts path segment characters to `[a-zA-Z0-9.-_]`. ZeroID does not validate `external_id` (and other path-contributing fields such as `account_id`, `project_id`, `identity_type`) against this character set before embedding them in the SPIFFE URI. A caller can register an identity with a `/`, `@`, space, or other forbidden character, producing a malformed SPIFFE ID that violates the spec.
Location
Identity registration / SPIFFE URI construction — wherever `spiffe://{domain}/{account_id}/{project_id}/{identity_type}/{external_id}` is assembled.
Impact
Fix
Add input validation at registration time rejecting any field that will appear in the SPIFFE URI path if it contains characters outside `[a-zA-Z0-9.-_]`.
Reference