Possible XSS issue on https://redocly.github.io/redoc/

Redocly / redoc

📘 OpenAPI/Swagger-generated API Reference Documentation

https://redocly.github.io/redoc/

MIT License

23.35k stars 2.29k forks source link

Possible XSS issue on https://redocly.github.io/redoc/ #2548

Closed romanpryshliak closed 3 months ago

romanpryshliak commented 3 months ago

Describe the bug

https://redocly.github.io/redoc/ renders the <input> tags.

Minimal reproducible OpenAPI snippet(if possible)

openapi: 3.0.3
info:
  title: Sample API
  description: This is a sample API to demonstrate OpenAPI specifications.
  version: 1.0.0
servers:
  - url: https://api.example.com/v1
paths:
  /greet:
    get:
      summary: Greet the user
      description: Returns a greeting message <input>.
      responses:
        '200':
          description: A successful response
          content:
            application/json:
              schema:
                type: object
                properties:
                  message:
                    type: string
                    example: "Hello, User!"

Screenshots

AlexVarchuk commented 3 months ago

We already use sanitizer to prevent XSS attacks. I believe it should be safe.

https://github.com/Redocly/redoc/blob/main/src/components/Markdown/SanitizedMdBlock.tsx#L27-L29

import * as DOMPurify from 'dompurify';

...

dangerouslySetInnerHTML={{
  __html: sanitize(options.untrustedSpec, rest.html),
}}

RomanHotsiy commented 3 months ago

@AlexVarchuk I think it's off by default. We need to enable it for our demo.

AlexVarchuk commented 3 months ago

We have untrustedSpec: true inside our demo.

I also made separate tests with this string, and they work the same way. Regarding documentation dompurify, cleans attributes, and events inside HTML. It seems it considers this case not critical because it works in other cases.

RomanHotsiy commented 3 months ago

Got it. Let's close it then.