Closed jlyon closed 7 years ago
Swagger UI has been removed locally, but more development testing needs to be done before we this change to production.
@jlyon Although understandable as a risk, swagger-ui is a fantastic enabling resource for the consumers of your API. The latest security update leverages a sanitation engine built for the job, and the team has adapted to fixing security defects quickly. 👍
https://github.com/swagger-api/swagger-ui/releases/tag/v2.2.3
Thanks for your input @sdavis-r7. We decided to keep swagger-ui and swagger-tools. We have upgraded swagger-ui to 2.2.5.
From email from Jeffrey Carr, Aug 5:
1) Outdated Swagger UI instance running on plugin.govready.com allows for Cross Site Scripting (XSS) execution. GovReady is using an older version of of Swagger, which allows an attacker to take advantage of the Swagger API Docs frontend, and is able to execute commands on a victim's browser.
In certain browsers you may have to place the http://api.ma.la/tmp/cors/swi/ URL into the "URL" textbox and press explore to see the XSS come up.
2) The Swagger UI also makes the site susceptible to a command execution vulnerability as stated below:
https://community.rapid7.com/community/infosec/blog/2016/06/23/r7-2016-06-remote-code-execution-via-swagger-parameter-injection-cve-2016-5641
Recommendation: Remove Swagger UI from API.