Stranger6667/jsonschema

Exclude reflected value in error format?

Opened this issue · 1 comments

I was taught long ago never to reflect a user-entered value in a validation error message, as in the case below, where schemars returns the invalid user-entered string "asdfasdfasdf" in the error message.

Screenshot 2023-08-03 at 9 55 07 AM

Most of the reasoning has to do with reflection attacks. You know the value is invalid, potentially for security reasons. It opens up the possibility of cross site scripting. (OWASP's guidelines do mention error reflection as a potential issue.) Even if our own implementation of error handling is fine, we're making an API that might be implemented by clients who don't properly handle them (they might, say, directly insert the error message into the DOM, resulting in XSS).

Screenshot 2023-08-03 at 9 55 43 AM

It's also possible that you'll reflect back a value that the user doesn't want to see again, such as an API secret or a password. You might be logging errors, and end up storing secrets inappropriately. Or even if you aren't logging errors in this way, clients using your API might.

Screenshot 2023-08-03 at 9 56 54 AM

I'd like to turn off error value reflection. Is this possible?

Hi! I think it would be a great idea to make this configurable (at least), and I’d be happy to review a PR on that matter. Seems like it should be a relatively straightforward implementation - it could be a flag that we can keep in the schema instance, and write an alternative formatting adapter for ValidationError