Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apidom-reference: FileResolver disabled by default #2154

Open
2 of 3 tasks
char0n opened this issue Oct 19, 2022 · 5 comments
Open
2 of 3 tasks

apidom-reference: FileResolver disabled by default #2154

char0n opened this issue Oct 19, 2022 · 5 comments
Assignees
@char0n
Labels
ApiDOM enhancement New feature or request

Comments

@char0n
Copy link
Member

char0n commented Oct 19, 2022
edited
Loading

We will introduce breaking change and have FileResolver disabled by default as it open’s possibility to do dangerous operations. We will also introduce additional security measure in form of configuration supplied regex that will guard the base resolution context of FileResolver - this will allow processing only certain whitelisted paths. Additional thing that we work on is to allow possibility to ignore certain URL schemas and not process them at all (instead of ApiDOM throwing error, the unrecognized schemas will be ignored).

TODO:

  • introduce mechanism to ignore certain URL schemas from processing
  • introduce regex whitelist for FileResolver
  • disable FileResolver by default
@char0n char0n self-assigned this Oct 19, 2022
@char0n char0n added enhancement New feature or request ApiDOM security vulnerability Security vulnerability detected by WhiteSource security fix Security fix generated by WhiteSource labels Oct 19, 2022
@frantuma frantuma mentioned this issue Oct 19, 2022
Open
@frantuma
Copy link
Member

@char0n just mentioning for future reference that if I get it right this would probably affect behavior in FS based environments, like IDE extensions e.g. https://github.com/swagger-api/apidom-lsp-vscode (added this ticket)

@mend-for-github-com mend-for-github-com bot changed the title apidom-reference: FileResolver disabled by default apidom-reference: FileResolver disabled by default - autoclosed Oct 19, 2022
@mend-for-github-com
Copy link
Contributor

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

@char0n char0n reopened this Oct 20, 2022
char0n added a commit that referenced this issue Oct 20, 2022
@char0n
feat(reference): add support for file allow list for FileResolver
bbd76f1 
Refs #2154

BREAKING CHANGE: FileResolver will not detect and process any local file
unless explicitly allowed by fileAllowList option
@char0n char0n mentioned this issue Oct 20, 2022
Merged
@char0n
Copy link
Member Author

char0n commented Oct 20, 2022

@frantuma yes - it will be a breaking change, but the behavior can be explicitly turned on again and work exactly as before.

char0n added a commit that referenced this issue Oct 20, 2022
@char0n
feat(reference): add support for file allow list for FileResolver
e21795d 
Refs #2154

BREAKING CHANGE: FileResolver will not detect and process any local file
unless explicitly allowed by fileAllowList option
char0n added a commit that referenced this issue Oct 20, 2022
@char0n
feat(reference): add support for file allow list for FileResolver
80f86b2 
Refs #2154

BREAKING CHANGE: FileResolver will not detect and process any local file
unless explicitly allowed by fileAllowList option
char0n added a commit that referenced this issue Oct 20, 2022
@char0n
feat(reference): add support for file allow list for FileResolver
91f7a84 
Refs #2154

BREAKING CHANGE: FileResolver will not detect and process any local file
unless explicitly allowed by fileAllowList option
char0n added a commit that referenced this issue Oct 20, 2022
@char0n
feat(reference): add support for file allow list for FileResolver (#2159
e1b914c 
)

Refs #2154

BREAKING CHANGE: FileResolver will not detect and process any local file
unless explicitly allowed by fileAllowList option
@mend-for-github-com mend-for-github-com bot changed the title apidom-reference: FileResolver disabled by default - autoclosed apidom-reference: FileResolver disabled by default - autoclosed - autoclosed Oct 20, 2022
@mend-for-github-com
Copy link
Contributor

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

@char0n char0n reopened this Oct 20, 2022
@mend-for-github-com mend-for-github-com bot changed the title apidom-reference: FileResolver disabled by default - autoclosed - autoclosed apidom-reference: FileResolver disabled by default - autoclosed - autoclosed - autoclosed Oct 20, 2022
@mend-for-github-com
Copy link
Contributor

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

@char0n char0n removed security vulnerability Security vulnerability detected by WhiteSource security fix Security fix generated by WhiteSource labels Oct 20, 2022
@char0n char0n reopened this Oct 20, 2022
@char0n char0n changed the title apidom-reference: FileResolver disabled by default - autoclosed - autoclosed - autoclosed apidom-reference: FileResolver disabled by default Oct 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@char0n char0n

Labels
ApiDOM enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@char0n @frantuma