json-schema-validator icon indicating copy to clipboard operation
json-schema-validator copied to clipboard

Published 20 hours ago verified publisher icon networknt

Proper way to disallow remote references?

Open hhkkxxx133 opened this issue 4 years ago • 9 comments

I am wondering if there is a feature flag in the library to disallow remote references during validation?

For example, only internal references are allowed:

{
  "definitions": {
    "pet": {
      "type": "object",
      "properties": {
        "name":  { "type": "string" },
        "breed": { "type": "string" }
      },
      "required": ["name", "breed"]
    }
  },
  "type": "object",
  "properties": {
    "cat": { "$ref": "#/definitions/pet" },
    "dog": { "$ref": "#/definitions/pet" }
  }
}

External file references and remote URL references are not allowed:

{
  "id": "http://app.dev/api/albums.json"
  "type": "array",
  "items": {
    "$ref": "./album.json"
  }
}

hhkkxxx133 avatar Jan 27 '21 04:01 hhkkxxx133

Currently, remote reference is automatically resolved before the validators are applied. If you want to avoid remote references in the schema when using OpenAPI specification, the openapi-bundler might help. The same concept can be used for pure schemas with a slight adjustment. May I know your use case a little better? Do you just want to avoid remote references in the schema? Thanks.

stevehu avatar Jan 27 '21 05:01 stevehu

Yes, we just want to avoid any remote reference in the JSONSchema. Only internal reference will be resolved.

We have network restricted use case so that when we validate the JSONSchema we don't want to retrieve from the web. Therefore, we want to ignore the remote references during validation.

hhkkxxx133 avatar Jan 27 '21 18:01 hhkkxxx133

I don't think it is a good idea to just ignore the remote references as the JSON schema validation will fail at runtime. You should focus on resolving the remote references before invoking the schema validator.

stevehu avatar Jan 28 '21 00:01 stevehu

How do we protect against malicious contents that may retrieved from external references?

hhkkxxx133 avatar Jan 29 '21 19:01 hhkkxxx133

You need to convert the external reference to internal.

stevehu avatar Jan 29 '21 19:01 stevehu

In our case, the schemas are sent by a third party, we would not want to rely on open internet, and hence were checking if there is a way we could restrict or feature flag remote schema resolutions.

hhkkxxx133 avatar Jan 29 '21 21:01 hhkkxxx133

OK. I understand your use case now. There are several options that I can think of.

  1. Make sure that your server doesn't have access to the Internet, so all remote references will fail.
  2. Add a pre-processor to handle the remote references to return an error to the client who provides the schema.
  3. Update this library to return a validation error if one remote reference is encountered. Of cause, this behaviour should be enabled from the config as this is not the default.

What do you think?

stevehu avatar Jan 30 '21 03:01 stevehu

The 3rd option looks good. How do you recommend to proceed?

hhkkxxx133 avatar Feb 01 '21 19:02 hhkkxxx133

add a config flag in this class and make the change based on the flag.

https://github.com/networknt/json-schema-validator/blob/master/src/main/java/com/networknt/schema/SchemaValidatorsConfig.java

stevehu avatar Feb 02 '21 02:02 stevehu

In addition to the above, we now support URI translations. This can be used to map the URI's scheme to either resource or classpath to load them from an internal resource. If you want to raise an exception, you can also do that in a URITranslator.

fdutton avatar Jun 11 '23 20:06 fdutton