Search code examples
jsonschema

Is the use of $id in subschemas a security risk?

In this Stack Overflow post I give an example of identifying a subschema using $id and then later replacing the $id with $anchor. Despite an incorrect $anchor value, the validator said that the schema was valid. Why? In his (excellent) answer @Jason Desrosiers explains (paraphrasing): "$id creates a persistent mapping to a schema. The mapping doesn't go away even when you remove the $id."

Two questions:

  1. Would you point me to the portion of the JSON Schema specification that talks about this, i.e., the portion of the spec that talks about $id mappings persisting even when the $id is removed?

  2. Is the use of $id in subschemas a security risk? It seems plausible that the "$id mapping persistence" behavior could be exploited to do bad things. (Analogous to the security risk of a browser that persists a password that was entered on a web page even when the web page is exited.)

Solution

  • Would you point me to the portion of the JSON Schema specification that talks about this, i.e., the portion of the spec that talks about $id mappings persisting even when the $id is removed?

    The spec doesn't talk about this directly. JSON Schema expects users to load their schemas into the implementation to make them available to be referenced for other schemas. While technically, it doesn't say how long those schemas should remain available, there's no concept of a session or unloading mappings stated or implied in the spec, so I think most of the time that means the schemas you load stay available until they get unloaded or replaced somehow although the spec doesn't mention a concept of unloading or replacing mappings.

    Is the use of $id in subschemas a security risk? It seems plausible that the "$id mapping persistence" behavior could be exploited to do bad things. (Analogous to the security risk of a browser that persists a password that was entered on a web page even when the web page is exited.)

    I'm glad you asked this because this never occurred to me and I think you might be right. I'm going to refrain from discussing specific exploits in public, but I'll bring this up in private with the JSON Schema team.