$ref schemas should not allow referencing non-schema assets

[honzajavorek]

I think it's okay to support referencing external files in Gavel, but we really need to test that it will interpret only valid JSON Schema files, not files like /etc/passwd (would disclose sensitive data), /dev/zero (can eat all memory), etc. People run Dredd on their CIs, we need to prevent any vulnerabilities. Following tests should be added:

• when referencing external file with valid content, Gavel reads the file and correctly validates according to the schema
• when referencing external file with (possibly sensitive) plain text content, Gavel refuses to read the file and doesn't disclose the file's contents
• when referencing huge or infinitely large external file (not sure how to test this on Windows very well), Gavel refuses to read the file and doesn't eat all computer memory or doesn't crash

[artem-zakharchenko]

Current state of Gavel has no tests related to referencing external resources through $ref.

It really sounds like JSON Schema's responsibility of handling external resources security- and memory-wise. Moving this logic to Gavel implies support of how $ref is interpreted in various JSON Schema versions (it's an external API, which is subjected to change). It also feels like Gavel would start to care about more things than just data validation.

If anything, these valid concerns should be addressed in Dredd. I believe we can know of JSON Schema being attached to the API description document, check its $ref resource and conduct aforementioned checks.