Error messages are revealing absolute file paths

Question

Error messages are revealing absolute file paths

Closed this issue 2 months ago · 1 comments

Hello

The error output seems to be revealing absolute file path information of the system that it is running on which is not ideal from a security perspective.

Is it possible to reveal only the relative file path?

{
    "errors": [
        "{ file:///home/ubuntu/youvalidateme/inline#  doesn't validate with file:///home/ubuntu/youvalidateme/inline#}",
        "{/properties/channel_name/pattern file:///home/ubuntu/youvalidateme/inline#/properties/channel_name/pattern /channel_name does not match pattern '^[a-zA-Z0-9-_\\' ]*$'}"
    
],
    "result": "Validation failed"
}

Answer 1 · 2024-05-24T09:15:11.000Z

file urls always contain absolute paths. even if the display string in error message is changed that does not solve the purpose; some one could load arbitrary file from your system by using $ref as shown below

{
   "$ref": "file:///path/to/secret/file"
}

so the correct solution is use custom loader with custom url scheme

say you have all schemas in some directory you can use custom url like schemas://path/to/schema.json

use Compliler.LoadURL to load the schema from specific directory.