Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added security considerations document #3488

Merged
merged 8 commits into from
Mar 3, 2024
6 changes: 6 additions & 0 deletions SECURITY_CONSIDERATIONS.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# Security Considerations

OpenAPI documents use JSON, YAML and JSON Schema and therefore share their same security considerations. [JSON Schema Core](https://json-schema.org/draft/2020-12/json-schema-core#section-13) [JSON Schema Validation](https://json-schema.org/draft/2020-12/json-schema-validation#name-security-considerations) [YAML](https://www.ietf.org/archive/id/draft-ietf-httpapi-yaml-mediatypes-10.html) [JSON](https://www.rfc-editor.org/rfc/rfc8259)
darrelmiller marked this conversation as resolved.
Show resolved Hide resolved
In additional, OpenAPI documents are processed by a wide variety of tooling for numerous different purposes, such as client code generation, documentation generation, server side routing, and API testing. OpenAPI document authors must consider the risks of the scenarios where the OpenAPI document may be used.
darrelmiller marked this conversation as resolved.
Show resolved Hide resolved
OpenAPI documents may contain references to external resources that may be dereferenced automatically by consuming tools. External resources may be hosted on different domains that may be untrusted. References in an OpenAPI document, or across OpenAPI documents may cause a cycle. Tooling must detect and handle cycles to prevent resource exhaustion.
darrelmiller marked this conversation as resolved.
Show resolved Hide resolved
Certain properties allow the use of Markdown which can contain HTML including script. It is the responsibility of tooling to appropriately sanitize the Markdown.
Loading