swaggest / php-json-schema

High definition PHP structures with JSON-schema based validation

MIT License

446 stars 51 forks source link

repair BasicFetcher #84

Closed filipekp closed 5 years ago

filipekp commented 5 years ago

$ref for external https remote source

codecov[bot] commented 5 years ago

Codecov Report

Merging #84 into master will increase coverage by <.01%. The diff coverage is 75%.

@@            Coverage Diff             @@
##           master      #84      +/-   ##
==========================================
+ Coverage   90.01%   90.01%   +<.01%     
==========================================
  Files          27       27              
  Lines        1602     1603       +1     
==========================================
+ Hits         1442     1443       +1     
  Misses        160      160

Impacted Files	Coverage Δ
src/RemoteRef/BasicFetcher.php	`80% <75%> (+5%)`	:arrow_up:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update fbe3d32...d5a2fc1. Read the comment docs.

vearutop commented 5 years ago

Not sure what is making those leading spaces, but no worries, I'll fix myself later. :)

vearutop commented 5 years ago

Thank you, tagged v0.12.17.

cs278 commented 5 years ago

This change disables SSL/TLS certificate validation?!

vearutop commented 5 years ago

Yes, it is quite common to have self-signed certs for internal services, so allowing invalid certificates by default removes some friction.

But now, that you asked this question with exclamation mark, I start thinking that maybe the security cost is underestimated. 🤔

@cs278 could you expand your concern (if any) in context of your use case?

May be this change has to be reimplemented as an explicit UnsafeFetcher.

martin-juul commented 4 years ago

Usually you would trust your self signed root ca on your host.