Collect unknown keywords as annotations

handrews · handrews · commit cad29ac533d7 · 2020-09-26T14:28:04.000-07:00
And try to avoid memory exhaustion attacks, which were possible
even with out this change but potentially more likely to happen
by accident with it (e.g. unrecognized applicator with a very
large subschema).
diff --git a/jsonschema-core.xml b/jsonschema-core.xml
@@ -351,7 +351,7 @@
                     </t>
                     <t>
                         A JSON Schema MAY contain properties which are not schema keywords.
-                        Unknown keywords SHOULD be ignored.
+                        Unknown keywords SHOULD be treated as annotations.
                     </t>
                     <t>
                         An empty schema is a JSON Schema with no properties, or only unknown
@@ -3090,6 +3090,11 @@ https://example.com/schemas/common#/$defs/count/minimum
                 system resources.
                 Validators MUST NOT fall into an infinite loop.
             </t>
+            <t>
+                A malicious party could cause an implementation to repeatedly collect a copy
+                of a very large value as an annotation.  Implementations SHOULD guard against
+                excessive consumption of system resources in such a scenario.
+            </t>
             <t>
                 Servers MUST ensure that malicious parties can't change the functionality of
                 existing schemas by uploading a schema with a pre-existing or very similar "$id".
