Skip to content

Security considerations should mention treating URIs as URLs (from $ref and $schema) #1231

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Relequestual opened this issue May 19, 2022 · 2 comments · May be fixed by #1600
Open

Security considerations should mention treating URIs as URLs (from $ref and $schema) #1231

Relequestual opened this issue May 19, 2022 · 2 comments · May be fixed by #1600
Milestone
stable-release

Comments

@Relequestual
Copy link
Member

Related json-schema-org/community#176
@karenetheridge
Copy link
Member

We mention earlier on that it is NOT required for an implementation to support loading resources from the web (https://json-schema.org/draft/2020-12/json-schema-core.html#rfc.section.8.2.3), but this may not be prominent enough as a warning; we could do with repeating it in the security section. (And possibly generalize to loading from anywhere, including disk.)

@awwright
Copy link
Member

Yeah, specifically mention the risks of loading resources controlled by third parties, as well as performance and privacy concerns. e.g. validation that relies on network operations can potentially be blocked by DoS attacks.

Network operations should be limited to hypermedia APIs and similar applications where this risk already exists and is built into the architecture. We sort of mention this in the appropriate sections, but it can be duplicated in security concerns.

@gregsdennis gregsdennis mentioned this issue Sep 14, 2023
Merged
@gregsdennis gregsdennis added this to the stable-release milestone Jun 18, 2024
@gregsdennis gregsdennis moved this to Awaiting PR in Stable Release Development Jun 18, 2024
@gregsdennis gregsdennis moved this to In Discussion in Proposal: Referencing Update Jul 17, 2024
@gregsdennis gregsdennis moved this from Awaiting PR to In Discussion in Stable Release Development Aug 17, 2024
@gregsdennis gregsdennis moved this from In Discussion to Awaiting PR in Stable Release Development Apr 26, 2025
@gregsdennis gregsdennis moved this from Awaiting PR to In Progress in Stable Release Development Apr 26, 2025
@gregsdennis gregsdennis linked a pull request Apr 26, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Proposal: Referencing Update
Status: In Discussion
Stable Release Development
Status: In Progress
Milestone
stable-release
Development

Successfully merging a pull request may close this issue.

add security note about accessing urls json-schema-org/json-schema-spec
5 participants
@karenetheridge @awwright @Relequestual @handrews @gregsdennis