From f9ecb01aa8afb686b3d0fcb04a249632f3af3436 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20Gorej?= <vladimir.gorej@gmail.com>
Date: Fri, 26 Jan 2024 15:57:18 +0100
Subject: [PATCH] fix(docker): disallow embedding SwaggerUI served from docker
 by default (#9520)

---
 Dockerfile                                  |  6 ++++--
 docker/default.conf.template                |  1 +
 docker/docker-entrypoint.d/40-swagger-ui.sh | 10 ++++++++++
 docker/embedding.conf                       |  5 +++++
 4 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 docker/embedding.conf

diff --git a/Dockerfile b/Dockerfile
index 450e10265f5..c3706056397 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,9 +13,11 @@ ENV API_KEY="**None**" \
     PORT="8080" \
     PORT_IPV6="" \
     BASE_URL="/" \
-    SWAGGER_JSON_URL=""
+    SWAGGER_JSON_URL="" \
+    CORS="true" \
+    EMBEDDING="false"
 
-COPY --chown=nginx:nginx --chmod=0666 ./docker/default.conf.template ./docker/cors.conf /etc/nginx/templates/
+COPY --chown=nginx:nginx --chmod=0666 ./docker/default.conf.template ./docker/cors.conf ./docker/embedding.conf /etc/nginx/templates/
 
 COPY --chmod=0666 ./dist/* /usr/share/nginx/html/
 COPY --chmod=0555 ./docker/docker-entrypoint.d/ /docker-entrypoint.d/
diff --git a/docker/default.conf.template b/docker/default.conf.template
index 893f7cd0b13..8f29eb3d034 100644
--- a/docker/default.conf.template
+++ b/docker/default.conf.template
@@ -38,5 +38,6 @@
       }
 
       include templates/cors.conf;
+      include templates/embedding.conf;
     }
   }
diff --git a/docker/docker-entrypoint.d/40-swagger-ui.sh b/docker/docker-entrypoint.d/40-swagger-ui.sh
index d1fae87be3d..487d92d2fcb 100755
--- a/docker/docker-entrypoint.d/40-swagger-ui.sh
+++ b/docker/docker-entrypoint.d/40-swagger-ui.sh
@@ -39,4 +39,14 @@ if [[ -n "${PORT_IPV6}" ]]; then
     sed -i "s|${PORT};|${PORT};\n    listen            [::]:${PORT_IPV6};|g" $NGINX_CONF
 fi
 
+# enable/disable CORS
+if [ "$CORS" != "true" ]; then
+  truncate -s 0 /etc/nginx/templates/cors.conf
+fi
+
+# allow/disallow embedding the swagger-ui in frames/iframes from different origins
+if [ "$EMBEDDING" != "false" ]; then
+  truncate -s 0 /etc/nginx/templates/embedding.conf
+fi
+
 find $NGINX_ROOT -type f -regex ".*\.\(html\|js\|css\)" -exec sh -c "gzip < {} > {}.gz" \;
diff --git a/docker/embedding.conf b/docker/embedding.conf
new file mode 100644
index 00000000000..e62a64bbb17
--- /dev/null
+++ b/docker/embedding.conf
@@ -0,0 +1,5 @@
+#
+# Prevent displaying inside an iframe
+#
+add_header 'X-Frame-Options' 'DENY' always;
+add_header 'Content-Security-Policy' "frame-ancestors 'none'" always;