Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OAS Security Considerations #3037

Closed
darrelmiller opened this issue Sep 29, 2022 · 2 comments · Fixed by #3488
Closed

OAS Security Considerations #3037

darrelmiller opened this issue Sep 29, 2022 · 2 comments · Fixed by #3488
Assignees
Labels
security: meta Metadata in and about the specification security

Comments

@darrelmiller
Copy link
Member

Aimed at the tooling creators to protect the users of their tools from maliciously created OAS descriptions.

  • loading external references
  • JSON Schemas use of regex
  • markdown content in descriptions. e.g. HTML scripts
  • Parsers must detect infinite loops
  • YAML - JSON Schema Subset
  • Server Urls
  • Information considered sensitive can be filtered out for a target audience
@darrelmiller darrelmiller self-assigned this Sep 29, 2022
@kevinswiber
Copy link
Contributor

OAS inherits security considerations from YAML and JSON.

JSON Security Considerations from RFC 8259

YAML billion laughs attack

lol1: &lol1 ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
lol2: &lol2 [*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1,*lol1]
lol3: &lol3 [*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2,*lol2]
lol4: &lol4 [*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3,*lol3]
lol5: &lol5 [*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4,*lol4]
lol6: &lol6 [*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5,*lol5]
lol7: &lol7 [*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6,*lol6]
lol8: &lol8 [*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7,*lol7]
lol9: &lol9 [*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8,*lol8]
lolz: &lolz [*lol9]

@MikeRalphson
Copy link
Member

Incorrect input sanitization in code-generator tools can result in generated code being poisoned. See https://github.com/Mermade/openapi3-examples/tree/master/3.0/malicious

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security: meta Metadata in and about the specification security
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants