Page MenuHomePhabricator
Create Task
Maniphest T129426

Security review of json-schema
Closed, ResolvedPublic
Actions

Description

https://gerrit.wikimedia.org/r/#/c/269325/

Event Timeline

csteipp created this task.Mar 10 2016, 12:04 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 10 2016, 12:04 AM
csteipp moved this task from Incoming to Scheduled on the deprecated-security-team-reviews board.Apr 5 2016, 11:56 PM
dpatrick claimed this task.Apr 25 2016, 6:20 PM
dpatrick subscribed.

This is in progress!

csteipp moved this task from Scheduled to In Progress on the deprecated-security-team-reviews board.Apr 28 2016, 1:45 AM
dpatrick added a comment.May 3 2016, 5:50 PM

Overall this looks good, and no major issues were found other than what is listed below. As long as schema locations are validated and/or limited to known locations, this should be fine.

General Observations

  • Positive
    • Code is well-commented and well-documented
    • Upstream project remains under active development
  • Negative
    • Library may be used to make requests to arbitrary URLs, if user-supplied input is used directly to determine schema locations

Configuration and Use Recommendations

Avoid loading of remote files, and remote reference resolution if possible. If this is required functionality, use the JsonSchema\Uri\Retrievers\Curl and ensure that reference resolution is limited to prevent DoS via recursive expansion. Validate input supplied as schema locations to prevent arbitrary requests via UriRetrievers.

dpatrick moved this task from Incoming to Our Part Is Done on the Security-Team board.May 9 2016, 6:17 PM
dpatrick closed this task as Resolved.Jun 29 2016, 5:34 PM
dpatrick added a subscriber: MaxSem.

@MaxSem I just realized that only me and @csteipp are subscribed to this security review bug. I wanted to make sure you saw it.

MaxSem added a comment.Jun 29 2016, 5:36 PM

Yep, we went live next day:P

sbassett moved this task from In Progress to Done on the deprecated-security-team-reviews board.Jul 9 2019, 8:15 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:13 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits