From 9996d4fb19aaa3f60c185db0fb72977bc9934ac9 Mon Sep 17 00:00:00 2001 From: Darrel Miller Date: Fri, 5 Jan 2024 09:06:05 -0500 Subject: [PATCH 1/7] Added security considerations document --- SECURITY_CONSIDERATIONS.md | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 SECURITY_CONSIDERATIONS.md diff --git a/SECURITY_CONSIDERATIONS.md b/SECURITY_CONSIDERATIONS.md new file mode 100644 index 0000000000..3d59d571c1 --- /dev/null +++ b/SECURITY_CONSIDERATIONS.md @@ -0,0 +1,6 @@ +# Security Considerations + +OpenAPI documents use JSON, YAML and JSON Schema and therefore share their same security considerations. [JSON Schema Core](https://json-schema.org/draft/2020-12/json-schema-core#section-13) [JSON Schema Validation](https://json-schema.org/draft/2020-12/json-schema-validation#name-security-considerations) [YAML](https://www.ietf.org/archive/id/draft-ietf-httpapi-yaml-mediatypes-10.html) [JSON](https://www.rfc-editor.org/rfc/rfc8259) +In additional, OpenAPI documents are processed by a wide variety of tooling for numerous different purposes, such as client code generation, documentation generation, service side routing, and API testing. OpenAPI document authors must consider the risks of the scenarios where the OpenAPI document may be used. +OpenAPIs document may contain references to external resources that may be dereferenced automatically by consuming tools. References in an OpenAPI document, or across OpenAPI documents may cause a cycle. Tooling must detect and handle cycles to prevent resource exhaustion. +Certain properties allow the use of Markdown which can contain HTML including script. It is the responsibility of tooling to appropriately sanitize the Markdown. \ No newline at end of file From cb85ba0972c34fa9743a000792511878a9cd0630 Mon Sep 17 00:00:00 2001 From: Darrel Date: Fri, 5 Jan 2024 13:06:45 -0500 Subject: [PATCH 2/7] Update SECURITY_CONSIDERATIONS.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Asbjørn Ulsberg --- SECURITY_CONSIDERATIONS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY_CONSIDERATIONS.md b/SECURITY_CONSIDERATIONS.md index 3d59d571c1..dad8b95f7f 100644 --- a/SECURITY_CONSIDERATIONS.md +++ b/SECURITY_CONSIDERATIONS.md @@ -1,6 +1,6 @@ # Security Considerations OpenAPI documents use JSON, YAML and JSON Schema and therefore share their same security considerations. [JSON Schema Core](https://json-schema.org/draft/2020-12/json-schema-core#section-13) [JSON Schema Validation](https://json-schema.org/draft/2020-12/json-schema-validation#name-security-considerations) [YAML](https://www.ietf.org/archive/id/draft-ietf-httpapi-yaml-mediatypes-10.html) [JSON](https://www.rfc-editor.org/rfc/rfc8259) -In additional, OpenAPI documents are processed by a wide variety of tooling for numerous different purposes, such as client code generation, documentation generation, service side routing, and API testing. OpenAPI document authors must consider the risks of the scenarios where the OpenAPI document may be used. +In additional, OpenAPI documents are processed by a wide variety of tooling for numerous different purposes, such as client code generation, documentation generation, server side routing, and API testing. OpenAPI document authors must consider the risks of the scenarios where the OpenAPI document may be used. OpenAPIs document may contain references to external resources that may be dereferenced automatically by consuming tools. References in an OpenAPI document, or across OpenAPI documents may cause a cycle. Tooling must detect and handle cycles to prevent resource exhaustion. Certain properties allow the use of Markdown which can contain HTML including script. It is the responsibility of tooling to appropriately sanitize the Markdown. \ No newline at end of file From 621fc7bf0e7c7fb8b2da01cbc5fa3e41659ae755 Mon Sep 17 00:00:00 2001 From: Darrel Date: Fri, 5 Jan 2024 13:06:57 -0500 Subject: [PATCH 3/7] Update SECURITY_CONSIDERATIONS.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Asbjørn Ulsberg --- SECURITY_CONSIDERATIONS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY_CONSIDERATIONS.md b/SECURITY_CONSIDERATIONS.md index dad8b95f7f..e0a2451012 100644 --- a/SECURITY_CONSIDERATIONS.md +++ b/SECURITY_CONSIDERATIONS.md @@ -2,5 +2,5 @@ OpenAPI documents use JSON, YAML and JSON Schema and therefore share their same security considerations. [JSON Schema Core](https://json-schema.org/draft/2020-12/json-schema-core#section-13) [JSON Schema Validation](https://json-schema.org/draft/2020-12/json-schema-validation#name-security-considerations) [YAML](https://www.ietf.org/archive/id/draft-ietf-httpapi-yaml-mediatypes-10.html) [JSON](https://www.rfc-editor.org/rfc/rfc8259) In additional, OpenAPI documents are processed by a wide variety of tooling for numerous different purposes, such as client code generation, documentation generation, server side routing, and API testing. OpenAPI document authors must consider the risks of the scenarios where the OpenAPI document may be used. -OpenAPIs document may contain references to external resources that may be dereferenced automatically by consuming tools. References in an OpenAPI document, or across OpenAPI documents may cause a cycle. Tooling must detect and handle cycles to prevent resource exhaustion. +OpenAPI documents may contain references to external resources that may be dereferenced automatically by consuming tools. References in an OpenAPI document, or across OpenAPI documents may cause a cycle. Tooling must detect and handle cycles to prevent resource exhaustion. Certain properties allow the use of Markdown which can contain HTML including script. It is the responsibility of tooling to appropriately sanitize the Markdown. \ No newline at end of file From f30283d60dd07d9a72a08590d27ad2a4273b1517 Mon Sep 17 00:00:00 2001 From: Darrel Date: Sun, 18 Feb 2024 15:43:26 -0500 Subject: [PATCH 4/7] Add note about external references being potentially on untrusted domains --- SECURITY_CONSIDERATIONS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY_CONSIDERATIONS.md b/SECURITY_CONSIDERATIONS.md index e0a2451012..81d092fb0a 100644 --- a/SECURITY_CONSIDERATIONS.md +++ b/SECURITY_CONSIDERATIONS.md @@ -2,5 +2,5 @@ OpenAPI documents use JSON, YAML and JSON Schema and therefore share their same security considerations. [JSON Schema Core](https://json-schema.org/draft/2020-12/json-schema-core#section-13) [JSON Schema Validation](https://json-schema.org/draft/2020-12/json-schema-validation#name-security-considerations) [YAML](https://www.ietf.org/archive/id/draft-ietf-httpapi-yaml-mediatypes-10.html) [JSON](https://www.rfc-editor.org/rfc/rfc8259) In additional, OpenAPI documents are processed by a wide variety of tooling for numerous different purposes, such as client code generation, documentation generation, server side routing, and API testing. OpenAPI document authors must consider the risks of the scenarios where the OpenAPI document may be used. -OpenAPI documents may contain references to external resources that may be dereferenced automatically by consuming tools. References in an OpenAPI document, or across OpenAPI documents may cause a cycle. Tooling must detect and handle cycles to prevent resource exhaustion. +OpenAPI documents may contain references to external resources that may be dereferenced automatically by consuming tools. External resources may be hosted on different domains that may be untrusted. References in an OpenAPI document, or across OpenAPI documents may cause a cycle. Tooling must detect and handle cycles to prevent resource exhaustion. Certain properties allow the use of Markdown which can contain HTML including script. It is the responsibility of tooling to appropriately sanitize the Markdown. \ No newline at end of file From a95e1ba5a6d37db9d6e01834fab2a865ec107738 Mon Sep 17 00:00:00 2001 From: Darrel Date: Thu, 22 Feb 2024 12:15:47 -0500 Subject: [PATCH 5/7] Update SECURITY_CONSIDERATIONS.md Co-authored-by: Ralf Handl --- SECURITY_CONSIDERATIONS.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/SECURITY_CONSIDERATIONS.md b/SECURITY_CONSIDERATIONS.md index 81d092fb0a..147e6acf3a 100644 --- a/SECURITY_CONSIDERATIONS.md +++ b/SECURITY_CONSIDERATIONS.md @@ -1,6 +1,10 @@ # Security Considerations -OpenAPI documents use JSON, YAML and JSON Schema and therefore share their same security considerations. [JSON Schema Core](https://json-schema.org/draft/2020-12/json-schema-core#section-13) [JSON Schema Validation](https://json-schema.org/draft/2020-12/json-schema-validation#name-security-considerations) [YAML](https://www.ietf.org/archive/id/draft-ietf-httpapi-yaml-mediatypes-10.html) [JSON](https://www.rfc-editor.org/rfc/rfc8259) +OpenAPI documents use JSON, YAML, and JSON Schema, and therefore share their security considerations: +- [JSON](https://datatracker.ietf.org/doc/html/rfc8259) +- [YAML](https://datatracker.ietf.org/doc/html/rfc9512) +- [JSON Schema Core](https://json-schema.org/draft/2020-12/json-schema-core#section-13) +- [JSON Schema Validation](https://json-schema.org/draft/2020-12/json-schema-validation#name-security-considerations) In additional, OpenAPI documents are processed by a wide variety of tooling for numerous different purposes, such as client code generation, documentation generation, server side routing, and API testing. OpenAPI document authors must consider the risks of the scenarios where the OpenAPI document may be used. OpenAPI documents may contain references to external resources that may be dereferenced automatically by consuming tools. External resources may be hosted on different domains that may be untrusted. References in an OpenAPI document, or across OpenAPI documents may cause a cycle. Tooling must detect and handle cycles to prevent resource exhaustion. Certain properties allow the use of Markdown which can contain HTML including script. It is the responsibility of tooling to appropriately sanitize the Markdown. \ No newline at end of file From f9fc7224b3f77458373860bad8b4904547f22d24 Mon Sep 17 00:00:00 2001 From: Darrel Date: Sun, 3 Mar 2024 11:46:49 -0500 Subject: [PATCH 6/7] Update SECURITY_CONSIDERATIONS.md Co-authored-by: Lorna Jane Mitchell --- SECURITY_CONSIDERATIONS.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/SECURITY_CONSIDERATIONS.md b/SECURITY_CONSIDERATIONS.md index 147e6acf3a..8c5b9acd0a 100644 --- a/SECURITY_CONSIDERATIONS.md +++ b/SECURITY_CONSIDERATIONS.md @@ -5,6 +5,7 @@ OpenAPI documents use JSON, YAML, and JSON Schema, and therefore share their sec - [YAML](https://datatracker.ietf.org/doc/html/rfc9512) - [JSON Schema Core](https://json-schema.org/draft/2020-12/json-schema-core#section-13) - [JSON Schema Validation](https://json-schema.org/draft/2020-12/json-schema-validation#name-security-considerations) -In additional, OpenAPI documents are processed by a wide variety of tooling for numerous different purposes, such as client code generation, documentation generation, server side routing, and API testing. OpenAPI document authors must consider the risks of the scenarios where the OpenAPI document may be used. + +In addition, OpenAPI documents are processed by a wide variety of tooling for numerous different purposes, such as client code generation, documentation generation, server side routing, and API testing. OpenAPI document authors must consider the risks of the scenarios where the OpenAPI document may be used. OpenAPI documents may contain references to external resources that may be dereferenced automatically by consuming tools. External resources may be hosted on different domains that may be untrusted. References in an OpenAPI document, or across OpenAPI documents may cause a cycle. Tooling must detect and handle cycles to prevent resource exhaustion. Certain properties allow the use of Markdown which can contain HTML including script. It is the responsibility of tooling to appropriately sanitize the Markdown. \ No newline at end of file From fa1c65ebcacd9521acc3b556fcdf6f12e4195695 Mon Sep 17 00:00:00 2001 From: Darrel Miller Date: Sun, 3 Mar 2024 12:49:05 -0500 Subject: [PATCH 7/7] Added note about security schemes --- SECURITY_CONSIDERATIONS.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/SECURITY_CONSIDERATIONS.md b/SECURITY_CONSIDERATIONS.md index 147e6acf3a..0ad58eb164 100644 --- a/SECURITY_CONSIDERATIONS.md +++ b/SECURITY_CONSIDERATIONS.md @@ -5,6 +5,8 @@ OpenAPI documents use JSON, YAML, and JSON Schema, and therefore share their sec - [YAML](https://datatracker.ietf.org/doc/html/rfc9512) - [JSON Schema Core](https://json-schema.org/draft/2020-12/json-schema-core#section-13) - [JSON Schema Validation](https://json-schema.org/draft/2020-12/json-schema-validation#name-security-considerations) + In additional, OpenAPI documents are processed by a wide variety of tooling for numerous different purposes, such as client code generation, documentation generation, server side routing, and API testing. OpenAPI document authors must consider the risks of the scenarios where the OpenAPI document may be used. +OpenAPI document describes security schemes that are used to protect the described resources. The available types of security schemes have widely varying degrees of protection and care must be taken to use an appropriate level of security schemes for the API resources being protected. Some security scheme types are supported for compatibility with existing APIs (e.g. basic auth, OAuth Implicit flow) and OpenAPI support should not be considered as an endorsement for their usage. OpenAPI documents may contain references to external resources that may be dereferenced automatically by consuming tools. External resources may be hosted on different domains that may be untrusted. References in an OpenAPI document, or across OpenAPI documents may cause a cycle. Tooling must detect and handle cycles to prevent resource exhaustion. Certain properties allow the use of Markdown which can contain HTML including script. It is the responsibility of tooling to appropriately sanitize the Markdown. \ No newline at end of file