Error messages are revealing absolute file paths

santhosh-tekuri / jsonschema

JSONSchema (draft 2020-12, draft 2019-09, draft-7, draft-6, draft-4) Validation using Go

Apache License 2.0

957 stars 98 forks source link

Error messages are revealing absolute file paths #165

Closed crowdwave closed 5 months ago

crowdwave commented 6 months ago

Hello

The error output seems to be revealing absolute file path information of the system that it is running on which is not ideal from a security perspective.

Is it possible to reveal only the relative file path?

{
    "errors": [
        "{ file:///home/ubuntu/youvalidateme/inline#  doesn't validate with file:///home/ubuntu/youvalidateme/inline#}",
        "{/properties/channel_name/pattern file:///home/ubuntu/youvalidateme/inline#/properties/channel_name/pattern /channel_name does not match pattern '^[a-zA-Z0-9-_\\' ]*$'}"

],
    "result": "Validation failed"
}

santhosh-tekuri commented 5 months ago

file urls always contain absolute paths. even if the display string in error message is changed that does not solve the purpose; some one could load arbitrary file from your system by using $ref as shown below

{
   "$ref": "file:///path/to/secret/file"
}

so the correct solution is use custom loader with custom url scheme

say you have all schemas in some directory you can use custom url like schemas://path/to/schema.json

use Compliler.LoadURL to load the schema from specific directory.