json-schema-spec icon indicating copy to clipboard operation
json-schema-spec copied to clipboard

Published 20 hours ago verified publisher icon json-schema-org

add security note about accessing urls

Open gregsdennis opened this issue 7 months ago • 5 comments

What kind of change does this PR introduce?

clarification

Issue & Discussion References

  • Closes #1231

Summary

Adds a security note about performing network operations when encountering URLs.

The last sentence in the addition was taken directly from @awwright's comment in the issue.

Does this PR introduce a breaking change?

no

gregsdennis avatar Apr 26 '25 09:04 gregsdennis

Minor issue, but otherwise looks good. Thanks!

Relequestual avatar May 06 '25 12:05 Relequestual

FWIW this is what I note for security considerations in my implementation -- https://metacpan.org/pod/JSON::Schema::Modern#SECURITY-CONSIDERATIONS -- as regular expressions provide a potential vector for executing code or creating a DoS.

karenetheridge avatar May 12 '25 21:05 karenetheridge

@karenetheridge thank you. I notice that what you have is particularly focused on regular expressions, which are already included in the validation spec.

gregsdennis avatar May 16 '25 21:05 gregsdennis

I notice that what you have is particularly focused on regular expressions

Yes, since I don't support fetching schemas from disk or the network, I think this is the only direct source of vulnerabilities that a user might not already be aware of.

I think the key to emphasize (and we can repeat it in a few places if relevant) is "do not trust schemas from external sources".

karenetheridge avatar May 16 '25 23:05 karenetheridge

Go for it. I'm spinning wheels with this one.

gregsdennis avatar Jun 10 '25 22:06 gregsdennis