New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
swagger-ui 3.28.0 has risk #521
Comments
A year has passed, and it seems flasgger is still running the same version of swagger-ui. It has been reasonably well documented (for around a year) that an XSS exists in versions https://www.npmjs.com/package/swagger-ui/v/3.52.5 has been released. Any chance of getting the version of swagger-ui upgraded, and a new release tagged? Thanks! See also: #574 |
Ping @billyrrr for visibility. |
I'm also interested in this upgrade! Thank you. |
Taking https://github.com/flasgger/flasgger#externally-loading-swagger-ui-and-jquery-jscss as an example, it is "easy" enough to upgrade the version of swagger-ui being used by overriding it in config.
As of writing, But you can also hard code more specific newer versions as appropriate if you wish..
If for some reason (and there are many), you can't just load JS and CSS resources from a "random" site on the internet, you can just take a copy of the files (from npm or wherever you deem appropriate) and include them with your own files/in your repo, and reference them similarly..
h/t to @kostajh It does look like upgrading the static files bundled with flasgger should be pretty trivial, so will look at turning this into a PR for review later today. |
Thank you all for the pull request. I would prefer if you could add a script to upgrade the dependency in the project file. That way, we are able to download trusted files on trusted build platform. This is also for security purposes, since it is difficult for me to verify that the dist files uploaded in the pull request are not tempered with. Hope that you can understand. Thank you! |
I mean, I could write a script myself (basically download, extract and copy)... but that's why I filed #576 for doing the node package management properly because in exactly the same way, unless someone has checked them, there's the same "problem" with the existing versions. Dealers choice, for the package management? I can probably have a go, but won't be till tomorrow or maybe at the weekend. |
The absolute MVP for verifying what I've done... cd to your flasgger dir. checkout #578, then
|
Great, let’s start with the script. A pull request for using package management is also welcomed. Thank you! On Jun 7, 2023, at 11:06 PM, Sam Reed ***@***.***> wrote:
The absolute MVP for verifying what I've done...
cd to your flasgger dir. checkout #578, then
cd flasgger/ui3/static
wget https://registry.npmjs.org/swagger-ui-dist/-/swagger-ui-dist-3.52.5.tgz
tar -xvf swagger-ui-dist-3.52.5.tgz
cp package/favicon-* .
cp package/swagger-ui.css* .
cp package/swagger-ui.js* .
cp package/swagger-ui-standalone-preset.js* .
cp package/swagger-ui-bundle.js* .
rm -rf package/ /swagger-ui-dist-3.52.5.tgz
git status and git diff would be clean.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Script added (designed to be run from repo root) in parent patch, using current commited version... Updated the version in the patch that I've updated the library...
|
Hang on, I've just noticed https://github.com/flasgger/flasgger/blob/master/Makefile#L37-L38
And it mostly works fine..
|
Updated the Makefile in the amended commit... I think that works for the scripting/"proof" |
swagger-ui 3.28.0 has a vulnerability, please upgrade version.
The text was updated successfully, but these errors were encountered: