XSS injection

[outdoteth]

As per this issue here: #3847

You can do an XSS injection by adding the url parameter:
https://petstore.swagger.io/
https://petstore.swagger.io/?url=https://25.rs/expswagger587112/card.yaml

I've found several other issues reporting the same thing e.g. here: https://github.com/tarantula-team/CSS-injection-in-Swagger-UI

But it says they have been closed. So is this issue fixed or not? If so, how can we get the fix?

[char0n]

Refs #7433

[pkoziol]

Yeah, it would be nice to be able to disable any parsing of query string and just use whatever was configured via code. Then I could host Swagger UI publicly.

I see that there is such suggestion already in #4872

[char0n]

FYI: as per suggestion in #4872 we have #7341 - breaking change release in progress; so maybe it's a good platform to introduce enableQueryConfig

But it says they have been closed. So is this issue fixed or not? If so, how can we get the fix?

For the case of https://github.com/tarantula-team/CSS-injection-in-Swagger-UI - this is fixed in SwaggerUI (style tag is forbidden and sanitized by markdown sanitizer)

https://petstore.swagger.io/?url=https://25.rs/expswagger587112/card.yaml

For this case I don't see any XSS exploit here. Basically we just render markdown code in safe way and stripping everything possibly malicious out (like form tag)

Generally, what you describe I'd say is a non-issue in current version of SwaggerUI.

[alegmal]

https://petstore.swagger.io/?url=https://25.rs/expswagger587112/card.yaml
do you mean that this example specifically is not an issue? or that "?url=" param is not an issue?

this is just an example and as described in #4872, you can pass potentially dangerous code using "?url=". for example, one that mimics api but sends requests with sensitive information to attacker controlled server.

or am I misunderstanding something?

[dinvlad]

@alegmal you're onto something that we believe is a real issue. We're about to disclose it responsibly via [email protected]. If possible, let's continue the convo there!

[char0n]

@alegmal,

Yes I mean this example specifically is not an issue: https://25.rs/expswagger587112/card.yaml

I'll reiterate what I've said in previous comment:

For this case I don't see any XSS exploit here. Basically we just render markdown code in safe way and stripping everything possibly malicious out (like form tag)

[jluque0101]

@dinvlad I'd like to follow up progress on this, is there any other place where I could check for updates?
Thanks

[dinvlad]

@jluque0101 we've connected with the Swagger team, but I'm not sure if we're ready to disclose anything yet. Waiting on their response.

[runkalicious]

@jluque0101 Please see the Security Advisory regarding this: GHSA-qrmm-w75w-3wpx

[jluque0101]

Thanks @runkalicious !