Update dependency swagger-ui-dist to v4 [SECURITY] - abandoned

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
swagger-ui-dist	3.47.1 -> 4.1.3

GitHub Vulnerability Alerts

GHSA-qrmm-w75w-3wpx

SwaggerUI supports displaying remote OpenAPI definitions through the ?url parameter. This enables robust demonstration capabilities on sites like petstore.swagger.io, editor.swagger.io, and similar sites, where users often want to see what their OpenAPI definitions would look like rendered.

However, this functionality may pose a risk for users who host their own SwaggerUI instances. In particular, including remote OpenAPI definitions opens a vector for phishing attacks by abusing the trusted names/domains of self-hosted instances.

An example scenario abusing this functionality could take the following form:

• https://example.com/api-docs hosts a version of SwaggerUI with ?url= query parameter enabled.
• Users will trust the domain https://example.com and the contents of the OpenAPI definition.
• A malicious actor may craft a similar OpenAPI definition and service that responds to the defined APIs at https://evildomain.
• Users mistakenly click a phishing URL like https://example.com/api-docs?url=https://evildomain/fakeapi.yaml and enters sensitive data via the "Try-it-out" feature.

We do want to stress that this attack vector is limited to scenarios that actively trick users into divulging sensitive information. The ease of this is highly contextual and, therefore, the threat model may be different for individual users and organizations. It is not possible to perform non-interactive attacks (e.g., cross-site scripting or code injection) through this mechanism.

Resolution

We've made the decision to disable query parameters (#​4872) by default starting with SwaggerUI version 4.1.3. Please update to this version when it becomes available (ETA: 2021 December). Users will still be able to be re-enable the options at their discretion. We'll continue to enable query parameters on the Swagger demo sites.

Workaround

If you host a version of SwaggerUI and wish to mitigate this issue immediately, you are encouraged to add the following custom plugin code:

SwaggerUI({
  //  ...other configuration options,
  plugins: [function UrlParamDisablePlugin() {
    return {
      statePlugins: {
        spec: {
          wrapActions: {
            // Remove the ?url parameter from loading an external OpenAPI definition.
            updateUrl: (oriAction) => (payload) => {
              const url = new URL(window.location.href)
              if (url.searchParams.has('url')) {
                url.searchParams.delete('url')
                window.location.replace(url.toString())
              }
              return oriAction(payload)
            }
          }
        }
      }
    }
  }],
})

Future UX work

Through the exploration of this issue, it became apparent that users may not be aware to which web server the Try-it-out function will send requests. While this information is currently presented at the top of the page, understanding may improve by displaying it closer to the "Execute" button where requests are actually made. We'll be exploring these UX improvements over the coming months and welcome community input. Please create a Feature Request under the GitHub Issue tab to start a conversation with us and the community.

Reflected XSS attack

Warning in versions < 3.38.0, it is possible to combine the URL options (as mentioned above) with a vulnerability in DOMPurify (https://www.cvedetails.com/cve/CVE-2020-26870/) to create a reflected XSS vector. If your version of Swagger UI is older than 3.38.0, we suggest you upgrade or implement the workaround as mentioned above.

CVE-2021-46708

The swagger-ui-dist package before 4.1.3 for Node.js could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim.

---

Release Notes

swagger-api/swagger-ui

v4.1.3: Swagger UI v4.1.3 Released!

Compare Source

Bug Fixes

• security: disable reading config params from URL search params (#​7697) (01a3e55), closes #​4872, security advisory GHSA-qrmm-w75w-3wpx

Note: to re-enable the functionality of reading config params from URL, set new queryConfigEnabled core parameter to true. More info in documentation.

v4.1.2: Swagger UI v4.1.2 Released!

Compare Source

Bug Fixes

• request JumpToPath component always as container (f3d3898)

v4.1.1: Swagger UI v4.1.1 Released!

Compare Source

Bug Fixes

• introduce Error Boundaries to handle unexpected failures (#​7671) (b299be7), closes #​7647

v4.1.0: Swagger UI v4.1.0 Released!

Compare Source

Bug Fixes

• add source map of css file to swagger-ui-react (#​7601) (83021df)
• highlight-code: fix regression code highlight behavior (7cc2657), closes #​7603
• swagger-ui-react: add showExtension propType (4a78313), closes #​5892

Features

• swagger-ui-react: add request snippets configuration (#​7536) (3fea224), closes #​7523
• swagger-ui-react: add showExtensions option (#​7563) (d7ec726), closes #​5892
• swagger-ui-react: add support of filter prop (#​7547) (b71446c), closes #​7546

v4.0.1: Swagger UI v4.0.1 Released!

Compare Source

Bug Fixes

• servers: prevent UI crash when changing Server with variables (fb7e98a), closes #​7525

v4.0.0: Swagger UI v4.0.0 Released!

Compare Source

Breaking changes

• use React 17.x and Redux 4.x

Features

• allow using functional components with hooks (c31cb30)

Bug Fixes

• param-body: fix loosing focus in Try It when typing (#​7548) (5a5a27e), closes #​7477
• root-inject: handle errors in functional components properly (e364073)
• servers: compensate when server list contains a null value (1283f52), closes #​7341
• ui: eliminate copy button icon misaligned in Firefox (#​7542) (f5b0446), closes #​7481

Other changes

• consolidate production and development dependencies

More information in: https://github.com/swagger-api/swagger-ui/issues/7341
Release article: https://swagger.io/blog/news/what-s-new-in-swaggerui-v4-and-swaggereditor-v4/

v3.52.5: Swagger UI v3.52.5 Released!

Compare Source

Bug Fixes

• highlight-code: handle mousewheel events properly (#​7554) (0fc429f), closes #​7497

v3.52.4: Swagger UI v3.52.4 Released!

Compare Source

Bug Fixes

• fix issue with highlight code scrolling causing console error (#​7497) (#​7519) (24aaa53)
• remove redundant whitespaces in API key auth popup (#​7538) (a740f3d)
• rename request snippets configuration props (#​7535) (90c8a73), closes #​7534
• paths: break long paths with <wbr> (#​7516) (f88334a), closes #​7513
• UI: correct width of HTTP request method names (#​7527) (fc7cdb8), closes #​7479
• ux: update the buttons of the example tabs to be displayed as links (#​7517) (ff5deb3), closes #​7464 #​7464

v3.52.3: Swagger UI v3.52.3 Released!

Compare Source

Bug Fixes

• a11n: provide proper a11n for response example tabs (#​7464) (8ffb1ae), closes #​7463 #​7350
• sample-gen: generate the correct number of properties (#​7432) (f1aab53)
• try-it-out: fix the width of image responses (#​7495) (cc700f0), closes #​5578

v3.52.2: Swagger UI v3.52.2 Released!

Compare Source

Bug Fixes

• Dockerfile: fix security issue in docker image (3c9061e), closes #​7445
• security: fix security issue in prismjs production dep (#​7493) (2a1b710), closes #​7492
• security: fix security issue in url-parse production dep

v3.52.1: Swagger UI v3.52.1 Released!

Compare Source

Bug Fixes

• build-security: do not expose hostname to build framents (#​7491) (fdef4ea), closes #​7446
• security: bump swagger-client to v3.16.1 (5029b81), closes #​7473

v3.52.0: Swagger UI v3.52.0 Released!

Compare Source

Features

• js-yaml: update our main YAML parser to v4.1.0 (no esprima anymore in bundle) (3248428), closes #​6804

v3.51.2: Swagger UI v3.51.2 Released!

Compare Source

Bug Fixes

• deps: bump swagger-client to v3.14.1 (#​7440) (8daf4e4), closes #​7436
• minimum runtime Node.js version is now => 12.4

v3.51.1: Swagger UI v3.51.1 Released!

Compare Source

Bug Fixes

• sample-gen: parameter array missing items fallback (#​7376) (de3d063), closes #​7375

v3.51.0: Swagger UI v3.51.0 Released!

Compare Source

Features

• oas3: Show file upload for schema binary format (#​7325) (13c110a), closes #​5636

Bug Fixes

• sample-gen: oas3 form-data object should generate example (#​7355) (87ded99)
• try-it-out: button and inner text spacing (#​7357) (14be45d)
• ui: parameter placeholder should only display name (#​7123) (3a0f72f)

Deprecation Warning

Swagger UI now requires Node.js v12. Node.js v10 has reached its EOL on 30-04-2021. Documentation has been updated in this PR #​7359

v3.50.0: Swagger UI v3.50.0 Released!

Compare Source

Features

• wrapComponents: new chain configuration option (#​7236) (516e666)

Bug Fixes

• system: allow wrapping selectors in chain (#​7304) (96cdf00), closes #​7157

Deprecation warning

• wrapComponents: The new configuration option introduced in this version sets the default to legacy, with an opt-in setting for chain. In a future version, this configuration option will toggle to chain as default, as it is the intended fixed correct behavior. If your application expects and/or requires the legacy option, please update your application accordingly. If your application is agnostic towards the either chain or legacy, no change is needed.

v3.49.0: Swagger UI v3.49.0 Released!

Compare Source

Features

• Accessibility improvements (#​7224) (72811bd)

Bug Fixes

• download button width (#​7230) (9f62154)

v3.48.0: Swagger UI v3.48.0 Released!

Compare Source

Bug Fixes

• authorization: include oauth endpoint description (#​7195) (5906dfa)
• syntaxHighlighter: request and response examples for json cases (#​7199) (92f1507)
• try-it-out: required properties (#​7206) (53829f1)

Features

• docs: make webpack-getting-started more universal (#​7191) (f239965)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[codeclimate]

Code Climate has analyzed commit 8ac0a19 and detected 0 issues on this pull request.

View more on Code Climate.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.