refactor: restrict OpenAPI $ref resolution to in-document pointers#11226
refactor: restrict OpenAPI $ref resolution to in-document pointers#11226etairl wants to merge 2 commits into
Conversation
OpenAPIServiceToFunctions._parse_openapi_spec previously called jsonref.replace_refs with the library default loader, which dispatches arbitrary $ref URIs to the filesystem and the network. Pass an explicit loader that rejects any non-in-document reference and disable proxies so references must be resolved eagerly. In-document JSON-pointer refs (those starting with "#") are unaffected. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
@etairl is attempting to deploy a commit to the deepset Team on Vercel. A member of the Team first needs to authorize it. |
anakin87
left a comment
anakin87
left a comment
There was a problem hiding this comment.
Hello, @etairl!
Could you better explain why this is needed?
Please also read our security policy before. If you have identified a vulnerability, please send us the details confidentially via email.
I also noticed that you opened multiple PRs. I'd suggest focusing on one at a time.
Hi @anakin87, Sorry about the spam (they've been sitting in my todos for a few days, created the PRs today in one batch). So on one hand this probably falls under out of scope category ("attacker-controlled input to Haystack is considered out of scope"). The reason it still should be a PR is that users expect "parse this spec" to just parse - not to read files or hit the network, so the default should be safer. This is security hardening rather than vulnerability patching. |
|
Thank you! I'll give this a better look later... |
Release-note linter rejects single backticks for inline code. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Coverage report
Click to see where and how coverage changed
This report was generated by python-coverage-comment-action |
||||||||||||||||||||||||
|
|
Thanks. Let me know of any required changes / questions. |
@anakin87 Any update? Really looking to get the 3 bugs fixed as they were found as part of our dependency chain scanning. |
|
I looked better into this... From our policy:
In addition, Thanks for raising the concern, but for these reasons I'd suggest closing the PR. |
Thanks for pointing it out. I'll move input validation upstream to better handle all edge cases then. I'll close the other 2 PRs as well. I did stumble upon a non-security bug, I'll create a PR soon. |
3 participants
Summary
OpenAPIServiceToFunctions._parse_openapi_specwas callingjsonref.replace_refswith the library default loader, which dispatches arbitrary$refURIs to the filesystem (file://) and the network (http(s)://).$refand setproxies=Falseso references must resolve eagerly during parsing.#) continue to work unchanged.This is a defensive hardening change for OpenAPI specs whose contents are not fully trusted (e.g. fetched from third-party catalogs, generated by an LLM, or uploaded by end users). Specs that depend on external
$refresolution will now raise aRuntimeErrorinstead of silently performing filesystem reads or outbound HTTP requests.Test plan
OpenAPIServiceToFunctionsunit tests with the new loader.$ref(e.g.#/components/schemas/Foo) still resolves correctly.$ref: file:///etc/passwdor$ref: http://...raises and does not perform the I/O.🤖 Generated with Claude Code