Page MenuHomePhabricator

Security review of json-schema
Closed, ResolvedPublic

Event Timeline

Overall this looks good, and no major issues were found other than what is listed below. As long as schema locations are validated and/or limited to known locations, this should be fine.

General Observations

  • Positive
    • Code is well-commented and well-documented
    • Upstream project remains under active development
  • Negative
    • Library may be used to make requests to arbitrary URLs, if user-supplied input is used directly to determine schema locations

Configuration and Use Recommendations

Avoid loading of remote files, and remote reference resolution if possible. If this is required functionality, use the JsonSchema\Uri\Retrievers\Curl and ensure that reference resolution is limited to prevent DoS via recursive expansion. Validate input supplied as schema locations to prevent arbitrary requests via UriRetrievers.

dpatrick added a subscriber: MaxSem.

@MaxSem I just realized that only me and @csteipp are subscribed to this security review bug. I wanted to make sure you saw it.