From 160b151bc35e99157ebad517b6bb712c790a8516 Mon Sep 17 00:00:00 2001 From: Greg Dennis Date: Sat, 26 Apr 2025 21:18:19 +1200 Subject: [PATCH 1/6] add security note about accessing urls --- specs/jsonschema-core.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/specs/jsonschema-core.md b/specs/jsonschema-core.md index 3154ae5e..8d4a8f7c 100644 --- a/specs/jsonschema-core.md +++ b/specs/jsonschema-core.md @@ -1990,6 +1990,12 @@ A malicious schema author could place executable code or other dangerous material within a `$comment`. Implementations MUST NOT parse or otherwise take action based on `$comment` contents. +When encoutering an IRI that is also a valid URL, implementations SHOULD NOT +presume a network operation should be performed. Implementations which have +access to the internet SHOULD default to operating offline. Network operations +should be limited to hypermedia APIs and similar applications where this risk +already exists and is built into the architecture. + ## IANA Considerations ### `application/schema+json` From 6ef050fbbe32138ba3257c5d2fe91f2255765e9a Mon Sep 17 00:00:00 2001 From: Greg Dennis Date: Sat, 3 May 2025 12:46:48 +1200 Subject: [PATCH 2/6] update security note on URL access to actually address security issues --- specs/jsonschema-core.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/specs/jsonschema-core.md b/specs/jsonschema-core.md index 8d4a8f7c..1160eb78 100644 --- a/specs/jsonschema-core.md +++ b/specs/jsonschema-core.md @@ -1990,11 +1990,12 @@ A malicious schema author could place executable code or other dangerous material within a `$comment`. Implementations MUST NOT parse or otherwise take action based on `$comment` contents. -When encoutering an IRI that is also a valid URL, implementations SHOULD NOT -presume a network operation should be performed. Implementations which have -access to the internet SHOULD default to operating offline. Network operations -should be limited to hypermedia APIs and similar applications where this risk -already exists and is built into the architecture. +When encountering an IRI that also represents a valid file system or network +location, implementations are discouraged to automatically an operation to +access that location. Schema authors should take care when configuring +implementations to operate over a file system or network as this could expose +the host system to various security vulnerabilities, such as man-in-the-middle +attacks or data leaks. ## IANA Considerations From 723702807f89013f92a8604487f653b7dfb4f16f Mon Sep 17 00:00:00 2001 From: Greg Dennis Date: Thu, 8 May 2025 09:31:09 +1200 Subject: [PATCH 3/6] Update specs/jsonschema-core.md Co-authored-by: Ben Hutton --- specs/jsonschema-core.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specs/jsonschema-core.md b/specs/jsonschema-core.md index 1160eb78..36eaabb5 100644 --- a/specs/jsonschema-core.md +++ b/specs/jsonschema-core.md @@ -1991,7 +1991,7 @@ material within a `$comment`. Implementations MUST NOT parse or otherwise take action based on `$comment` contents. When encountering an IRI that also represents a valid file system or network -location, implementations are discouraged to automatically an operation to +location, implementations are discouraged from automatically making an operation to access that location. Schema authors should take care when configuring implementations to operate over a file system or network as this could expose the host system to various security vulnerabilities, such as man-in-the-middle From 522b4ef518a517cc5b77598b8b396327b7ede821 Mon Sep 17 00:00:00 2001 From: Greg Dennis Date: Sat, 17 May 2025 09:47:21 +1200 Subject: [PATCH 4/6] remove mention of specific attacks --- specs/jsonschema-core.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/specs/jsonschema-core.md b/specs/jsonschema-core.md index 36eaabb5..1b1b3de9 100644 --- a/specs/jsonschema-core.md +++ b/specs/jsonschema-core.md @@ -1994,8 +1994,7 @@ When encountering an IRI that also represents a valid file system or network location, implementations are discouraged from automatically making an operation to access that location. Schema authors should take care when configuring implementations to operate over a file system or network as this could expose -the host system to various security vulnerabilities, such as man-in-the-middle -attacks or data leaks. +the host system. ## IANA Considerations From 823d864ee28b1e3ea1416341fa1b3e6bad49bae2 Mon Sep 17 00:00:00 2001 From: Greg Dennis Date: Sun, 8 Jun 2025 11:12:56 +1200 Subject: [PATCH 5/6] Update specs/jsonschema-core.md Co-authored-by: Jason Desrosiers --- specs/jsonschema-core.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/specs/jsonschema-core.md b/specs/jsonschema-core.md index 1b1b3de9..78c59886 100644 --- a/specs/jsonschema-core.md +++ b/specs/jsonschema-core.md @@ -1992,7 +1992,9 @@ action based on `$comment` contents. When encountering an IRI that also represents a valid file system or network location, implementations are discouraged from automatically making an operation to -access that location. Schema authors should take care when configuring +access that location. Implementations that choose to support retrieval over untrusted +connections should require users to configure the implementation to enable that +functionality. implementations to operate over a file system or network as this could expose the host system. From d867301ced971f51b617da96b0ceb9566efd82b8 Mon Sep 17 00:00:00 2001 From: Greg Dennis Date: Sun, 8 Jun 2025 11:16:13 +1200 Subject: [PATCH 6/6] update security paragraph after suggestion commit --- specs/jsonschema-core.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/specs/jsonschema-core.md b/specs/jsonschema-core.md index 78c59886..8b241469 100644 --- a/specs/jsonschema-core.md +++ b/specs/jsonschema-core.md @@ -1991,12 +1991,10 @@ material within a `$comment`. Implementations MUST NOT parse or otherwise take action based on `$comment` contents. When encountering an IRI that also represents a valid file system or network -location, implementations are discouraged from automatically making an operation to -access that location. Implementations that choose to support retrieval over untrusted -connections should require users to configure the implementation to enable that -functionality. -implementations to operate over a file system or network as this could expose -the host system. +location, implementations are discouraged from automatically making an operation +to access that location. Implementations that choose to support retrieval over +untrusted connections should require users to configure the implementation to +enable that functionality. ## IANA Considerations