Page MenuHomePhabricator

Security review of json-schema
Closed, ResolvedPublic

Event Timeline

csteipp created this task.Mar 10 2016, 12:04 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 10 2016, 12:04 AM
dpatrick added a subscriber: dpatrick.

This is in progress!

Overall this looks good, and no major issues were found other than what is listed below. As long as schema locations are validated and/or limited to known locations, this should be fine.

General Observations

  • Positive
    • Code is well-commented and well-documented
    • Upstream project remains under active development
  • Negative
    • Library may be used to make requests to arbitrary URLs, if user-supplied input is used directly to determine schema locations

Configuration and Use Recommendations

Avoid loading of remote files, and remote reference resolution if possible. If this is required functionality, use the JsonSchema\Uri\Retrievers\Curl and ensure that reference resolution is limited to prevent DoS via recursive expansion. Validate input supplied as schema locations to prevent arbitrary requests via UriRetrievers.

dpatrick closed this task as Resolved.Jun 29 2016, 5:34 PM
dpatrick added a subscriber: MaxSem.

@MaxSem I just realized that only me and @csteipp are subscribed to this security review bug. I wanted to make sure you saw it.

Yep, we went live next day:P