unsafe slash-separated scope (schema-path)

### Describe the bug

Very similar to #1849 but for `scope`s (or `schemaPath`s).

https://github.com/eclipsesource/jsonforms/blob/075bbc448cfb2bb209e86d6b1ea6460df23a9f64/packages/core/src/generators/uischema.ts#L115-L202

As you can see in the above snippet, `ref` will be `currentRef` of the generated ui-schema:

https://github.com/eclipsesource/jsonforms/blob/075bbc448cfb2bb209e86d6b1ea6460df23a9f64/packages/core/src/generators/uischema.ts#L169-L176

and it will be used as the `scope` of control elements:

https://github.com/eclipsesource/jsonforms/blob/075bbc448cfb2bb209e86d6b1ea6460df23a9f64/packages/core/src/generators/uischema.ts#L195

But it's created by two string-concatenations (_line 162_ & _line 165_):

https://github.com/eclipsesource/jsonforms/blob/075bbc448cfb2bb209e86d6b1ea6460df23a9f64/packages/core/src/generators/uischema.ts#L162-L165

```typescript
const nextRef: string = currentRef + '/properties';
...
const ref = `${nextRef}/${propName}`;
```
The second one is obviously unsafe. Because we don't know anything about `propName`. It may be `foo/bar/baz`. Then we have issues in `toDataPathSegments()`:

https://github.com/eclipsesource/jsonforms/blob/075bbc448cfb2bb209e86d6b1ea6460df23a9f64/packages/core/src/util/path.ts#L58-L68

Because `toDataPathSegments('#/properties/foo/bar/baz')` will be `['foo', 'baz']`!



### Expected behavior

`/` character should safely be escaped or a `string[]` should be used for `scope`s:

For example:

```typescript
// using string[]:
scope = ['#', 'properties', 'foo/bar/baz']

// AJV-like `instancePath` encoding:
scope = '#/properties/foo~1bar~1baz'
```

Then `toDataPathSegments()` can parse its input correctly and will return `['foo/bar/baz']`.

### Steps to reproduce the issue


 1. Go to [Playground](https://mirismaili.github.io/jsonforms-playground)
 2. Set:
    `JSON-Schema`:
    ```json
    {
      "type": "object",
      "properties": {
        "foo/bar": {
          "type": "string"
        }
      }
    }
    ```
    `UI-Schema`:
    ```json
    false
    ```
    `Data`:
    ```json
    {}
    ```


### Screenshots

![image](https://user-images.githubusercontent.com/15800189/147851756-339e6f95-2f8f-43c1-8228-3d270ec15b42.png)


### In which browser are you experiencing the issue?

Google Chrome v96.0.4664.93 (Official Build) (64-bit)

### Framework

_No response_

### RendererSet

_No response_

### Additional context

_No response_

	const generateUISchema = (
	jsonSchema: JsonSchema,
	schemaElements: UISchemaElement[],
	currentRef: string,
	schemaName: string,
	layoutType: string,
	rootSchema?: JsonSchema
	): UISchemaElement => {
	if (!isEmpty(jsonSchema) && jsonSchema.$ref !== undefined) {
	return generateUISchema(
	resolveSchema(rootSchema, jsonSchema.$ref),
	schemaElements,
	currentRef,
	schemaName,
	layoutType,
	rootSchema
	);
	}

	if (isCombinator(jsonSchema)) {
	const controlObject: ControlElement = createControlElement(currentRef);
	schemaElements.push(controlObject);

	return controlObject;
	}

	const types = deriveTypes(jsonSchema);
	if (types.length === 0) {
	return null;
	}

	if (types.length > 1) {
	const controlObject: ControlElement = createControlElement(currentRef);
	schemaElements.push(controlObject);
	return controlObject;
	}

	if (currentRef === '#' && types[0] === 'object') {
	const layout: Layout = createLayout(layoutType);
	schemaElements.push(layout);

	if (jsonSchema.properties && keys(jsonSchema.properties).length > 1) {
	addLabel(layout, schemaName);
	}

	if (!isEmpty(jsonSchema.properties)) {
	// traverse properties
	const nextRef: string = currentRef + '/properties';
	Object.keys(jsonSchema.properties).map(propName => {
	let value = jsonSchema.properties[propName];
	const ref = `${nextRef}/${propName}`;
	if (value.$ref !== undefined) {
	value = resolveSchema(rootSchema, value.$ref);
	}
	generateUISchema(
	value,
	layout.elements,
	ref,
	propName,
	layoutType,
	rootSchema
	);
	});
	}

	return layout;
	}

	switch (types[0]) {
	case 'object': // object items will be handled by the object control itself
	/* falls through */
	case 'array': // array items will be handled by the array control itself
	/* falls through */
	case 'string':
	/* falls through */
	case 'number':
	/* falls through */
	case 'integer':
	/* falls through */
	case 'boolean':
	const controlObject: ControlElement = createControlElement(currentRef);
	schemaElements.push(controlObject);

	return controlObject;
	default:
	throw new Error('Unknown type: ' + JSON.stringify(jsonSchema));
	}
	};

	generateUISchema(
	value,
	layout.elements,
	ref,
	propName,
	layoutType,
	rootSchema
	);

	export const toDataPathSegments = (schemaPath: string): string[] => {
	const s = schemaPath
	.replace(/anyOf\/[\d]\//g, '')
	.replace(/allOf\/[\d]\//g, '')
	.replace(/oneOf\/[\d]\//g, '');
	const segments = s.split('/');

	const startFromRoot = segments[0] === '#' \|\| segments[0] === '';
	const startIndex = startFromRoot ? 2 : 1;
	return range(startIndex, segments.length, 2).map(idx => segments[idx]);
	};

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

unsafe slash-separated scope (schema-path) #1863

Describe the bug

Expected behavior

Steps to reproduce the issue

Screenshots

In which browser are you experiencing the issue?

Framework

RendererSet

Additional context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

unsafe slash-separated scope (schema-path) #1863

Description

Describe the bug

Expected behavior

Steps to reproduce the issue

Screenshots

In which browser are you experiencing the issue?

Framework

RendererSet

Additional context

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions