Security issue: Depth and width of resolutions

[brettz9]

I think the security section should probably be expanded to mention the likes of:

1. Schema processors handling infinite recursion
2. Implementations allowing limits on $ref depth short of infinite recursion but putting an excessive demand on an application to resolve long chains of references
3. Schema object "width" resolution problems--i.e., where there is no infinite recursion or long chains out of the document, but can still be a DOS ala the billion laughs attack, e.g., via such constructs as allOf.

{
    "definitions": {
        "laugh1": {"type": "string", "default": "laugh"},
        "laugh2": {"allOf": [{"$ref": "#/definitions/laugh1"}, {"type": "string", "default": "laugh"}]},
        "laugh3": {"allOf": [{"$ref": "#/definitions/laugh2"}, {"$ref": "#/definitions/laugh1"}]},
        "laugh4": {"allOf": [{"$ref": "#/definitions/laugh3"}, {"$ref": "#/definitions/laugh2"}]},
        "laugh5": {"allOf": [{"$ref": "#/definitions/laugh4"}, {"$ref": "#/definitions/laugh3"}]},
        // etc.
    }
}

[gregsdennis]

Nice suggestions. Thanks. Some comments:

1. Handling infinite recursion is already part of the specification.
2. I wonder how big of a deal this is. A bad actor would have to somehow upload the JSON required to represent these long chains, and I think that should already be handled by anything using JSON in general.
3. Same as (2). The SO question you link to is about the attack in XML, and as you've shown, it's substantially more verbose in JSON Schema.