Update dependency swagger-ui-dist to v4 [SECURITY] - abandoned #560
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.47.1
->4.1.3
GitHub Vulnerability Alerts
GHSA-qrmm-w75w-3wpx
SwaggerUI supports displaying remote OpenAPI definitions through the
?url
parameter. This enables robust demonstration capabilities on sites likepetstore.swagger.io
,editor.swagger.io
, and similar sites, where users often want to see what their OpenAPI definitions would look like rendered.However, this functionality may pose a risk for users who host their own SwaggerUI instances. In particular, including remote OpenAPI definitions opens a vector for phishing attacks by abusing the trusted names/domains of self-hosted instances.
An example scenario abusing this functionality could take the following form:
https://example.com/api-docs
hosts a version of SwaggerUI with?url=
query parameter enabled.https://example.com
and the contents of the OpenAPI definition.https://evildomain
.https://example.com/api-docs?url=https://evildomain/fakeapi.yaml
and enters sensitive data via the "Try-it-out" feature.We do want to stress that this attack vector is limited to scenarios that actively trick users into divulging sensitive information. The ease of this is highly contextual and, therefore, the threat model may be different for individual users and organizations. It is not possible to perform non-interactive attacks (e.g., cross-site scripting or code injection) through this mechanism.
Resolution
We've made the decision to disable query parameters (#4872) by default starting with SwaggerUI version
4.1.3
. Please update to this version when it becomes available (ETA: 2021 December). Users will still be able to be re-enable the options at their discretion. We'll continue to enable query parameters on the Swagger demo sites.Workaround
If you host a version of SwaggerUI and wish to mitigate this issue immediately, you are encouraged to add the following custom plugin code:
Future UX work
Through the exploration of this issue, it became apparent that users may not be aware to which web server the Try-it-out function will send requests. While this information is currently presented at the top of the page, understanding may improve by displaying it closer to the "Execute" button where requests are actually made. We'll be exploring these UX improvements over the coming months and welcome community input. Please create a Feature Request under the GitHub Issue tab to start a conversation with us and the community.
Reflected XSS attack
Warning in versions < 3.38.0, it is possible to combine the URL options (as mentioned above) with a vulnerability in DOMPurify (https://www.cvedetails.com/cve/CVE-2020-26870/) to create a reflected XSS vector. If your version of Swagger UI is older than 3.38.0, we suggest you upgrade or implement the workaround as mentioned above.
CVE-2021-46708
The swagger-ui-dist package before 4.1.3 for Node.js could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim.
Release Notes
swagger-api/swagger-ui
v4.1.3
: Swagger UI v4.1.3 Released!Compare Source
Bug Fixes
v4.1.2
: Swagger UI v4.1.2 Released!Compare Source
Bug Fixes
v4.1.1
: Swagger UI v4.1.1 Released!Compare Source
Bug Fixes
v4.1.0
: Swagger UI v4.1.0 Released!Compare Source
Bug Fixes
Features
v4.0.1
: Swagger UI v4.0.1 Released!Compare Source
Bug Fixes
v4.0.0
: Swagger UI v4.0.0 Released!Compare Source
Breaking changes
Features
Bug Fixes
Other changes
More information in: https://github.com/swagger-api/swagger-ui/issues/7341
Release article: https://swagger.io/blog/news/what-s-new-in-swaggerui-v4-and-swaggereditor-v4/
v3.52.5
: Swagger UI v3.52.5 Released!Compare Source
Bug Fixes
v3.52.4
: Swagger UI v3.52.4 Released!Compare Source
Bug Fixes
<wbr>
(#7516) (f88334a), closes #7513v3.52.3
: Swagger UI v3.52.3 Released!Compare Source
Bug Fixes
v3.52.2
: Swagger UI v3.52.2 Released!Compare Source
Bug Fixes
v3.52.1
: Swagger UI v3.52.1 Released!Compare Source
Bug Fixes
v3.52.0
: Swagger UI v3.52.0 Released!Compare Source
Features
v3.51.2
: Swagger UI v3.51.2 Released!Compare Source
Bug Fixes
v3.51.1
: Swagger UI v3.51.1 Released!Compare Source
Bug Fixes
v3.51.0
: Swagger UI v3.51.0 Released!Compare Source
Features
Bug Fixes
name
(#7123) (3a0f72f)Deprecation Warning
Swagger UI now requires Node.js v12. Node.js v10 has reached its EOL on 30-04-2021. Documentation has been updated in this PR #7359
v3.50.0
: Swagger UI v3.50.0 Released!Compare Source
Features
chain
configuration option (#7236) (516e666)Bug Fixes
Deprecation warning
legacy
, with an opt-in setting forchain
. In a future version, this configuration option will toggle tochain
as default, as it is the intended fixed correct behavior. If your application expects and/or requires thelegacy
option, please update your application accordingly. If your application is agnostic towards the eitherchain
orlegacy
, no change is needed.v3.49.0
: Swagger UI v3.49.0 Released!Compare Source
Features
Bug Fixes
v3.48.0
: Swagger UI v3.48.0 Released!Compare Source
Bug Fixes
Features
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.