The just of the matter is we currently blindly trust the external data source: "https://date.nager.at/api/v2/publicholidays" <- which very nice
Not that the plan is to assume bad but a few points:
- what if the local DNS is curropted and https://date.nager.at/api/v2/publicholidays for the PC is currently pointed to an attacker controlled server?
- ensure the request can be made without blocking input
- Ensure the result is actually a list of holiday sin a properfly formatted json.
- Enforce a timeout on the Http request.;
The just of the matter is we currently blindly trust the external data source: "https://date.nager.at/api/v2/publicholidays" <- which very nice
Not that the plan is to assume bad but a few points: