-
-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Insecure Default Resolver Behavior #222
Comments
Anyone got a pull request? This library has been going for donkeys years without this, so that suggests people are sanetizing their own inputs, but if you need the library to make it safe by default I'd really appreciate a pull request. I make absolutely nothing from this and its taking time out of tree planting or paid work, time I don't have. |
The way we mitigated it ( P.s.: Thanks a lot for this library. |
That would be great! Letting people know they can do that is handy, and it avoids the issue of disabling it by default and causing issues for people who $ref URLs that might not have extensions in (I've seen that done). |
The related pull request: #236 |
I have noticed that by default the library (tested with version
10.1.0
) is willing to resolve just any files pointed to by$ref
. This can be a problem if the library is used by something that:For example, given the below OpenAPI document
If we just do the below
We will get (showing just a snippet of the processed document to keep it short):
I have checked the different configuration options available and I found that things can be somewhat mitigated by configuring the file resolver as shown below.
In this case, the library is only willing to work with
yml
andjson
files, giving this result:At the same time, it is still possible to get any JSON or YAML files opened on the file system. Someone malicious could use this to gain access to sensitive data (e.g. credentials) in JSON or YAML files if:
server
specified in the OpenAPI docAs can be seen, there are plenty of ifs, but depending on the use case things can get problematic.
My recommendation would be (without intimately being familiar with the library) to:
options.resolve.file.canRead
set to['.yml', '.yaml', '.json']
by default. I mean, this should be the default behavior.options.resolve.file.basePath
that allows defining a path from which the library is willing to load/resolve files. The library would refuse to load/resolve any files outside of the specified directory or directories.The text was updated successfully, but these errors were encountered: