search

massdriver-cloud / massdriver-cli

Deprecated. See https://github.com/massdriver-cloud/mass
https://massdriver.cloud
Apache License 2.0
3 stars 2 forks source link

SSRF vaulnerability in hydrating schema refs #43

Open jaketf opened 2 years ago

jaketf commented 2 years ago

currently we have a minor vulnerability where we do a GET on whatever a bundle author puts in a schema ref. probably not the worst attack surface, but could be an opportunity to check "hey does this look like a legit schema ref url" could perhaps have a value of allowed domain names or something.

I found this while trying to enable gosec linter https://securego.io/docs/rules/g107.html

https://github.com/massdriver-cloud/massdriver-cli/blob/911a7ac116b4c9b24966385087e762d6141fbc3d/pkg/jsonschema/hydrate.go#L68

coryodaniel commented 2 years ago

End users can manage their own libraries of “types” to ref into their schemas. What’s the best approach if we are agnostic about where the json comes from?

jaketf commented 2 years ago

hmm, I think we could have an org level setting captured in the API that could allow that domain (in addition to the list of domains we allow for everyone).