Lack of data validation In openssl-encrypt
Description
openssl-encrypt silently skips schema validation when jsonschema library is not installed
Summary
In openssl_encrypt/modules/json_validator.py at lines 234-238, when the jsonschema library is not installed, all schema validation is silently skipped with only a print warning.
Affected Code
if not JSONSCHEMA_AVAILABLE: print(f"Warning: Cannot validate against schema '{schema_name}' - jsonschema library not available") return
Additionally, unknown metadata format versions (line 288-293) bypass schema validation entirely, and all schemas use additionalProperties: true allowing arbitrary extra fields.
Impact
An attacker who can influence the Python environment (remove the jsonschema package) or craft metadata with an unknown version number can bypass all schema checks. Malformed or malicious metadata will be accepted without validation.
Recommended Fix
Make jsonschema a required dependency, not optional
Or fail-closed: refuse to process metadata when validation cannot be performed
Reject unknown format versions instead of silently skipping validation
Consider using additionalProperties: false in schemas
Fix
Fixed in commit 6e7f938 on branch releases/1.4.x — validate_against_schema() now raises JSONValidationError when jsonschema is unavailable instead of silently passing; changed print() warning to logging.warning().
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 pypi | 1.4.0 |
Aliases
References