add security note about accessing urls #1600
Conversation
There was a problem hiding this comment.
This doesn't mention any security considerations. It's a requirement that we made for security reasons, but it's not a security consideration itself.
We could talk about the security considerations that led to that decision, but that feels out-of-place to me. This section should be about things implementers need to consider and protect against. It's not supposed to be a place for us to justify decisions we made for security reasons.
Because this requirement is a "SHOULD" and not a "MUST", we could talk about the security considerations that implementers who chose to support that kind of retrieval need to be aware of. That's the only way I think this makes sense.
| the host system to various security vulnerabilities, such as man-in-the-middle | ||
| attacks or data leaks. |
There was a problem hiding this comment.
I don't want to sound alarmist, but RCEs are also a potential if there's the potential of bad parsing and maliciuos intent. I think MitM is a low risk, but a noteable consideration.
How do you imagine data leaks might happen? By virtue of making a request to a URL from a system which should be invisible?
There was a problem hiding this comment.
A misbehaving implementation with access to the internet could send your data to another server, unrequested. To avoid this we instruct implementations to not make network calls by default. Thus making use of the network is opt-in, suggesting that the user understands the risks.
I can add the RCE risk to the list.
|
Minor issue, but otherwise looks good. Thanks! |
Co-authored-by: Ben Hutton <[email protected]>
What kind of change does this PR introduce?
clarification
Issue & Discussion References
Summary
Adds a security note about performing network operations when encountering URLs.
The last sentence in the addition was taken directly from @awwright's comment in the issue.
Does this PR introduce a breaking change?
no