The examples provided, such as the Node server example, shows an example of a data source provider that will configure data sources with specific IDs, but will also permit all unrecognized data sources to be used, as-is. If anyone is actually configured in this fashion, an end-user would be capable of constructing a REST request that contains a JSON data source with a specific URL, causing the server to send and return the contents found at that URL. This is a problem if the server is running behind a firewall, and the contents at that URL is supposed to be inaccessable to the end-user.
It would be good to update these examples to, instead, return null on any unrecognized data sources.
The examples provided, such as the Node server example, shows an example of a data source provider that will configure data sources with specific IDs, but will also permit all unrecognized data sources to be used, as-is. If anyone is actually configured in this fashion, an end-user would be capable of constructing a REST request that contains a JSON data source with a specific URL, causing the server to send and return the contents found at that URL. This is a problem if the server is running behind a firewall, and the contents at that URL is supposed to be inaccessable to the end-user.
It would be good to update these examples to, instead, return
nullon any unrecognized data sources.