json-schema-spec icon indicating copy to clipboard operation
json-schema-spec copied to clipboard

Published 20 hours ago verified publisher icon json-schema-org

Security considerations should mention treating URIs as URLs (from $ref and $schema)

Open Relequestual opened this issue 3 years ago • 2 comments

Related https://github.com/json-schema-org/community/discussions/176

Relequestual avatar May 19 '22 08:05 Relequestual

We mention earlier on that it is NOT required for an implementation to support loading resources from the web (https://json-schema.org/draft/2020-12/json-schema-core.html#rfc.section.8.2.3), but this may not be prominent enough as a warning; we could do with repeating it in the security section. (And possibly generalize to loading from anywhere, including disk.)

karenetheridge avatar May 21 '22 03:05 karenetheridge

Yeah, specifically mention the risks of loading resources controlled by third parties, as well as performance and privacy concerns. e.g. validation that relies on network operations can potentially be blocked by DoS attacks.

Network operations should be limited to hypermedia APIs and similar applications where this risk already exists and is built into the architecture. We sort of mention this in the appropriate sections, but it can be duplicated in security concerns.

awwright avatar May 22 '22 20:05 awwright