Error messages are revealing absolute file paths
Closed this issue · 1 comments
crowdwave commented
Hello
The error output seems to be revealing absolute file path information of the system that it is running on which is not ideal from a security perspective.
Is it possible to reveal only the relative file path?
{
"errors": [
"{ file:///home/ubuntu/youvalidateme/inline# doesn't validate with file:///home/ubuntu/youvalidateme/inline#}",
"{/properties/channel_name/pattern file:///home/ubuntu/youvalidateme/inline#/properties/channel_name/pattern /channel_name does not match pattern '^[a-zA-Z0-9-_\\' ]*$'}"
],
"result": "Validation failed"
}
santhosh-tekuri commented
file urls always contain absolute paths. even if the display string in error message is changed that does not solve the purpose; some one could load arbitrary file from your system by using $ref
as shown below
{
"$ref": "file:///path/to/secret/file"
}
so the correct solution is use custom loader with custom url scheme
say you have all schemas in some directory you can use custom url like schemas://path/to/schema.json
use Compliler.LoadURL
to load the schema from specific directory.