Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: xss vulnerability in embed swagger-ui #10593

Merged
merged 3 commits into from
Dec 1, 2021

Conversation

yihuang
Copy link
Collaborator

@yihuang yihuang commented Nov 23, 2021

Solution:

  • update to recent version: v4.1.0

Description

How to reproduce

Open following URL, click the Authorize button, click the Authorize button in the login window, there'll be an alert that shows a successful XSS attack:

http://localhost:26654/swagger/?url=https://raw.githubusercontent.com/semsem123s/semsem-template/main/xss1.yaml

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

  • included the correct type prefix in the PR title
  • added ! to the type prefix if API or client breaking change
  • targeted the correct branch (see PR Targeting)
  • provided a link to the relevant issue or specification
  • followed the guidelines for building modules
  • included the necessary unit and integration tests
  • added a changelog entry to CHANGELOG.md
  • included comments for documenting Go code
  • updated the relevant documentation or specification
  • reviewed "Files changed" and left comments if necessary
  • confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

  • confirmed the correct type prefix in the PR title
  • confirmed ! in the type prefix if API or client breaking change
  • confirmed all author checklist items have been addressed
  • reviewed state machine logic
  • reviewed API design and naming
  • reviewed documentation is accurate
  • reviewed tests and test coverage
  • manually tested (if applicable)

Solution:
- update to recent version: v4.1.0
Copy link
Member

@tac0turtle tac0turtle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

utACK

@tac0turtle tac0turtle added the A:automerge Automatically merge PR once all prerequisites pass. label Nov 23, 2021
@amaury1093
Copy link
Contributor

@anilcse or @aleem1314 did you work on Swagger-related stuff? Would you be able to take a look?

@robert-zaremba robert-zaremba self-assigned this Nov 30, 2021
@robert-zaremba robert-zaremba removed the A:automerge Automatically merge PR once all prerequisites pass. label Nov 30, 2021
Copy link
Collaborator

@robert-zaremba robert-zaremba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I removed automerge -> please add changelog before merging

@yihuang
Copy link
Collaborator Author

yihuang commented Dec 1, 2021

LGTM. I removed automerge -> please add changelog before merging

done

@amaury1093 amaury1093 added the A:automerge Automatically merge PR once all prerequisites pass. label Dec 1, 2021
@mergify mergify bot merged commit 2361463 into cosmos:master Dec 1, 2021
@yihuang yihuang deleted the update-swagger-ui branch December 1, 2021 08:30
blewater pushed a commit to e-money/cosmos-sdk that referenced this pull request Dec 8, 2021
Solution:
- update to recent version: v4.1.0

<!--
The default pull request template is for types feat, fix, or refactor.
For other templates, add one of the following parameters to the url:
- template=docs.md
- template=other.md
-->

## Description

### How to reproduce

Open following URL, click the `Authorize` button, click the `Authorize` button in the login window, there'll be an alert that shows a successful XSS attack:
```
http://localhost:26654/swagger/?url=https://raw.githubusercontent.com/semsem123s/semsem-template/main/xss1.yaml
```

<!-- Add a description of the changes that this PR introduces and the files that
are the most critical to review. -->

---

### Author Checklist

*All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.*

I have...

- [ ] included the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title
- [ ] added `!` to the type prefix if API or client breaking change
- [ ] targeted the correct branch (see [PR Targeting](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#pr-targeting))
- [ ] provided a link to the relevant issue or specification
- [ ] followed the guidelines for [building modules](https://github.com/cosmos/cosmos-sdk/blob/master/docs/building-modules)
- [ ] included the necessary unit and integration [tests](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#testing)
- [ ] added a changelog entry to `CHANGELOG.md`
- [ ] included comments for [documenting Go code](https://blog.golang.org/godoc)
- [ ] updated the relevant documentation or specification
- [ ] reviewed "Files changed" and left comments if necessary
- [ ] confirmed all CI checks have passed

### Reviewers Checklist

*All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.*

I have...

- [ ] confirmed the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title
- [ ] confirmed `!` in the type prefix if API or client breaking change
- [ ] confirmed all author checklist items have been addressed 
- [ ] reviewed state machine logic
- [ ] reviewed API design and naming
- [ ] reviewed documentation is accurate
- [ ] reviewed tests and test coverage
- [ ] manually tested (if applicable)
@robert-zaremba
Copy link
Collaborator

I think we should backport it to 0.45 as well...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A:automerge Automatically merge PR once all prerequisites pass. C:CLI
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants