Headline
CVE-2018-25031: add an `enableQueryConfig` option · Issue #4872 · swagger-api/swagger-ui
Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
Content & configuration
Swagger-UI configuration options:
SwaggerUI({ enableQueryConfig: false // new })
Is your feature request related to a problem?
We’ve observed that the ?url= parameter in SwaggerUI allows an attacker to override an otherwise hard-coded schema file. This opens the door to issues such as #3847 and #4789 which would otherwise be prevented by hard-coding the schema file URL.
The behavior appears to be a regression in the 3.x releases. It can easily be reproduced by passing in a URL to the SwaggerUIBundle constructor and then using the ?url parameter to override it, while observing the behavior in the Net panel of your browser’s developer tools. Note that CORS rules can prevent a test from succeeding, but do not prevent a real attack.
const ui = SwaggerUIBundle({
...
url: 'some-hard-coded-path.yml'
});
Additionally, the URL parameter is dangerous in general because it allows an attacker to provide a similar schema file that instead sends authorization requests to a server under an attacker’s control, which makes it much easier to trick a user into leaking their login credentials. So the URL parameter should not be allowed in any setting where authentication or other sensitive information is used. I’d recommend disabling it by default and cautioning users against enabling it.
Describe the solution you’d like
for 3.x: Add an enableQueryParam or similar option. If omitted, default to false if a URL is passed into the constructor, otherwise default true.
for 4.x: Change the default when omitted to false.
Describe alternatives you’ve considered
Our workaround was to detect the URL parameter before initializing SwaggerUI and failing early if it was set.
Additional context
This is taken from a security report given to the Swagger team by Ken Winters, based on investigation done by Gaurav Shet and Ben Zulanch - all over at NetApp.
The decision was made to put this in the public issue tracker because (a) we aren’t going to immediately fix this, and (b) the attack surface for this is significantly diminished by our effective sanitization efforts to deter XSS attacks in documents used as input.
Related news
Swagger UI version 4.1.3 user interface misrepresentation of information proof of concept exploit.