Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

swagger-ui 3.28.0 has risk #521

Open
CHTTL912 opened this issue Mar 1, 2022 · 11 comments · May be fixed by #578
Open

swagger-ui 3.28.0 has risk #521

CHTTL912 opened this issue Mar 1, 2022 · 11 comments · May be fixed by #578

Comments

@CHTTL912
Copy link

CHTTL912 commented Mar 1, 2022

swagger-ui 3.28.0 has a vulnerability, please upgrade version.
@reedy
Copy link

reedy commented Jun 5, 2023
edited

A year has passed, and it seems flasgger is still running the same version of swagger-ui.

It has been reasonably well documented (for around a year) that an XSS exists in versions >=3.14.1 < 3.38.0

https://www.npmjs.com/package/swagger-ui/v/3.52.5 has been released.

Any chance of getting the version of swagger-ui upgraded, and a new release tagged?

Thanks!

See also: #574

@reedy
Copy link

reedy commented Jun 5, 2023

Ping @billyrrr for visibility.

@armarik
Copy link

armarik commented Jun 5, 2023

I'm also interested in this upgrade! Thank you.

@reedy
Copy link

reedy commented Jun 5, 2023

Taking https://github.com/flasgger/flasgger#externally-loading-swagger-ui-and-jquery-jscss as an example, it is "easy" enough to upgrade the version of swagger-ui being used by overriding it in config.

swagger_config = Swagger.DEFAULT_CONFIG
swagger_config['swagger_ui_bundle_js'] = '//unpkg.com/swagger-ui-dist@3/swagger-ui-bundle.js'
swagger_config['swagger_ui_standalone_preset_js'] = '//unpkg.com/swagger-ui-dist@3/swagger-ui-standalone-preset.js'
swagger_config['jquery_js'] = '//unpkg.com/jquery@2.2.4/dist/jquery.min.js'
swagger_config['swagger_ui_css'] = '//unpkg.com/swagger-ui-dist@3/swagger-ui.css'

As of writing, swagger-ui-dist@3 becomes swagger-ui-dist@3.52.5 - https://unpkg.com/swagger-ui-dist@3/swagger-ui-bundle.js -> https://unpkg.com/swagger-ui-dist@3.52.5/swagger-ui-bundle.js

But you can also hard code more specific newer versions as appropriate if you wish..

swagger_config = Swagger.DEFAULT_CONFIG
swagger_config['swagger_ui_bundle_js'] = '//unpkg.com/swagger-ui-dist@3.52.5/swagger-ui-bundle.js'
swagger_config['swagger_ui_standalone_preset_js'] = '//unpkg.com/swagger-ui-dist@3.52.5/swagger-ui-standalone-preset.js'
swagger_config['jquery_js'] = '//unpkg.com/jquery@2.2.4/dist/jquery.min.js'
swagger_config['swagger_ui_css'] = '//unpkg.com/swagger-ui-dist@3.52.5/swagger-ui.css'

If for some reason (and there are many), you can't just load JS and CSS resources from a "random" site on the internet, you can just take a copy of the files (from npm or wherever you deem appropriate) and include them with your own files/in your repo, and reference them similarly..

swagger_config = Swagger.DEFAULT_CONFIG
swagger_config['swagger_ui_bundle_js'] = '/static/swagger-ui-bundle.js'
swagger_config['swagger_ui_standalone_preset_js'] = '/static/swagger-ui-standalone-preset.js'
swagger_config['jquery_js'] = '/static/jquery.min.js'
swagger_config['swagger_ui_css'] = '/static/swagger-ui.css'

h/t to @kostajh

It does look like upgrading the static files bundled with flasgger should be pretty trivial, so will look at turning this into a PR for review later today.

reedy added a commit to reedy/flasgger that referenced this issue Jun 5, 2023
@reedy
Update swagger-ui to 3.52.5
bf43cf8 
Fixes flasgger#521
@reedy reedy linked a pull request Jun 5, 2023 that will close this issue
Open
@billyrrr
Copy link
Member

billyrrr commented Jun 8, 2023

Thank you all for the pull request. I would prefer if you could add a script to upgrade the dependency in the project file. That way, we are able to download trusted files on trusted build platform. This is also for security purposes, since it is difficult for me to verify that the dist files uploaded in the pull request are not tempered with. Hope that you can understand. Thank you!

@reedy
Copy link

reedy commented Jun 8, 2023
edited

I mean, I could write a script myself (basically download, extract and copy)... but that's why I filed #576 for doing the node package management properly because in exactly the same way, unless someone has checked them, there's the same "problem" with the existing versions.

Dealers choice, for the package management?

I can probably have a go, but won't be till tomorrow or maybe at the weekend.

@reedy
Copy link

reedy commented Jun 8, 2023
edited

The absolute MVP for verifying what I've done...

cd to your flasgger dir. checkout #578, then

cd flasgger/ui3/static
wget https://registry.npmjs.org/swagger-ui-dist/-/swagger-ui-dist-3.52.5.tgz
tar -xvf swagger-ui-dist-3.52.5.tgz
cp package/favicon-* .
cp package/swagger-ui.css* .
cp package/swagger-ui.js* .
cp package/swagger-ui-standalone-preset.js* .
cp package/swagger-ui-bundle.js* .
rm -rf package/
rm swagger-ui-dist-3.52.5.tgz

git status and git diff would be clean.

@billyrrr
Copy link
Member

billyrrr commented Jun 8, 2023 via email

reedy added a commit to reedy/flasgger that referenced this issue Jun 20, 2023
@reedy
Update swagger-ui to 3.52.5
dfebe26 
Fixes flasgger#521
@reedy
Copy link

reedy commented Jun 20, 2023

Script added (designed to be run from repo root) in parent patch, using current commited version... Updated the version in the patch that I've updated the library...

$ ./scripts/loadswaggerui.sh 
--2023-06-20 20:12:05--  https://registry.npmjs.org/swagger-ui-dist/-/swagger-ui-dist-3.52.5.tgz
Resolving registry.npmjs.org (registry.npmjs.org)... 2606:4700::6810:1423, 2606:4700::6810:1723, 2606:4700::6810:1023, ...
Connecting to registry.npmjs.org (registry.npmjs.org)|2606:4700::6810:1423|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5155514 (4.9M) [application/octet-stream]
Saving to: ‘swagger-ui-dist-3.52.5.tgz’

swagger-ui-dist-3.52.5.tgz                                                                 100%[========================================================================================================================================================================================================================================>]   4.92M  16.1MB/s    in 0.3s    

2023-06-20 20:12:06 (16.1 MB/s) - ‘swagger-ui-dist-3.52.5.tgz’ saved [5155514/5155514]

package/swagger-ui.css
package/index.html
package/oauth2-redirect.html
package/absolute-path.js
package/index.js
package/swagger-ui-bundle.js
package/swagger-ui-es-bundle-core.js
package/swagger-ui-es-bundle.js
package/swagger-ui-standalone-preset.js
package/swagger-ui.js
package/package.json
package/swagger-ui-bundle.js.map
package/swagger-ui-es-bundle-core.js.map
package/swagger-ui-es-bundle.js.map
package/swagger-ui-standalone-preset.js.map
package/swagger-ui.css.map
package/swagger-ui.js.map
package/README.md
package/favicon-16x16.png
package/favicon-32x32.png
$ git diff
$

@reedy
Copy link

reedy commented Jun 20, 2023

Hang on, I've just noticed

https://github.com/flasgger/flasgger/blob/master/Makefile#L37-L38

# Updates swagger_ui_dist files
# Need to manually remove extra files added by this command
upgrade_swagger_ui:
	@tar --strip-components 1 -C flasgger/ui3/static/ -xvf `npm pack swagger-ui-dist@3.28.0` package/

And it mostly works fine..

$ make upgrade_swagger_ui
npm notice 
npm notice 📦  swagger-ui-dist@3.52.5
npm notice === Tarball Contents === 
npm notice 143.8kB swagger-ui.css                     
npm notice 1.5kB   index.html                         
npm notice 2.6kB   oauth2-redirect.html               
npm notice 530B    absolute-path.js                   
npm notice 813B    index.js                           
npm notice 1.1MB   swagger-ui-bundle.js               
npm notice 511.7kB swagger-ui-es-bundle-core.js       
npm notice 1.1MB   swagger-ui-es-bundle.js            
npm notice 337.2kB swagger-ui-standalone-preset.js    
npm notice 511.9kB swagger-ui.js                      
npm notice 527B    package.json                       
npm notice 4.8MB   swagger-ui-bundle.js.map           
npm notice 1.9MB   swagger-ui-es-bundle-core.js.map   
npm notice 4.8MB   swagger-ui-es-bundle.js.map        
npm notice 1.5MB   swagger-ui-standalone-preset.js.map
npm notice 275.2kB swagger-ui.css.map                 
npm notice 1.9MB   swagger-ui.js.map                  
npm notice 860B    README.md                          
npm notice 665B    favicon-16x16.png                  
npm notice 628B    favicon-32x32.png                  
npm notice === Tarball Details === 
npm notice name:          swagger-ui-dist                         
npm notice version:       3.52.5                                  
npm notice filename:      swagger-ui-dist-3.52.5.tgz              
npm notice package size:  5.2 MB                                  
npm notice unpacked size: 18.9 MB                                 
npm notice shasum:        9aa8101a2be751f5145195b9e048bc21b12fac60
npm notice integrity:     sha512-8z18eX8G/jbTX[...]YnktshRr7uIFw==
npm notice total files:   20                                      
npm notice 
package/swagger-ui.css
package/index.html
package/oauth2-redirect.html
package/absolute-path.js
package/index.js
package/swagger-ui-bundle.js
package/swagger-ui-es-bundle-core.js
package/swagger-ui-es-bundle.js
package/swagger-ui-standalone-preset.js
package/swagger-ui.js
package/package.json
package/swagger-ui-bundle.js.map
package/swagger-ui-es-bundle-core.js.map
package/swagger-ui-es-bundle.js.map
package/swagger-ui-standalone-preset.js.map
package/swagger-ui.css.map
package/swagger-ui.js.map
package/README.md
package/favicon-16x16.png
package/favicon-32x32.png
$ git status
On branch swagger-ui-v3.52.5
Your branch and 'origin/swagger-ui-v3.52.5' have diverged,
and have 1 and 2 different commits each, respectively.
  (use "git pull" to merge the remote branch into yours)

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
	modified:   Makefile

Untracked files:
  (use "git add <file>..." to include in what will be committed)
	flasgger/ui3/static/README.md
	flasgger/ui3/static/absolute-path.js
	flasgger/ui3/static/index.html
	flasgger/ui3/static/index.js
	flasgger/ui3/static/oauth2-redirect.html
	flasgger/ui3/static/package.json
	flasgger/ui3/static/swagger-ui-es-bundle-core.js
	flasgger/ui3/static/swagger-ui-es-bundle-core.js.map
	flasgger/ui3/static/swagger-ui-es-bundle.js
	flasgger/ui3/static/swagger-ui-es-bundle.js.map
	swagger-ui-dist-3.52.5.tgz

no changes added to commit (use "git add" and/or "git commit -a")
$

reedy added a commit to reedy/flasgger that referenced this issue Jun 20, 2023
@reedy
Update swagger-ui to 3.52.5
9218fef 
Fixes flasgger#521
@reedy
Copy link

reedy commented Jun 20, 2023

Updated the Makefile in the amended commit... I think that works for the scripting/"proof"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update swagger-ui to 3.52.5 reedy/flasgger
4 participants
@reedy @billyrrr @CHTTL912 @armarik