xss at https://zipkin.io/zipkin-api/

openzipkin / zipkin-api

Zipkin's language independent model and HTTP Api Definitions

https://zipkin.io/zipkin-api/

Apache License 2.0

59 stars 32 forks source link

xss at https://zipkin.io/zipkin-api/ #98

Closed Iieitaimus closed 7 months ago

Iieitaimus commented 1 year ago

Describe the Bug

There is runing old Swagger-UI exposed at https://zipkin.io/zipkin-api/. Its possible to execute js.

Steps to Reproduce

POC alert box:

Go to: https://zipkin.io/zipkin-api/?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9leHViZXJhbnQtaWNlLnN1cmdlLnNoL3Rlc3QueWFtbCIKfQ==

jcchavezs commented 1 year ago

Up to update the swagger UI?

codefromthecrypt commented 7 months ago

gh-pages branch https://github.com/openzipkin/zipkin-api/tree/gh-pages is where the UI is, so help wanted updating it! cc @SamTV12345 if you have time.

Note that I have no guarantee that this will actually solve the XSS, so probably want to read the docs and see if there's a config required also, and if that config already exists for the current version we expose on the website.

SamTV12345 commented 7 months ago

gh-pages branch https://github.com/openzipkin/zipkin-api/tree/gh-pages is where the UI is, so help wanted updating it! cc @SamTV12345 if you have time.

Note that I have no guarantee that this will actually solve the XSS, so probably want to read the docs and see if there's a config required also, and if that config already exists for the current version we expose on the website.

Could you please point me to how this API is built 😃 ? I found this library named Sway which hasn't received any update in 5 years.

codefromthecrypt commented 7 months ago

sure.. here was my note on the last commit that did anything notable https://github.com/openzipkin/zipkin-api/commit/72928f0bfcbe2d50a3b7d3f9743065407e3ced06 (remember the PR has to be on the gh-pages branch)

so, unzip a release and see if it fixes the XSS.. there may be some drift on changes. Anything not obviously ours it doesn't touch on unzip probably needs to be deleted (things that were from an old version) https://github.com/swagger-api/swagger-ui/releases

codefromthecrypt commented 7 months ago

@SamTV12345 so simply using the new version of swagger didn't remove the XSS. Using "killing this XSS" as a goal, let's look into your custom build (from master). For example, possibly we can just remove the form and hard-code the swagger, as well source it locally vs via an absolute href.

Wanna go for it?

To actually deploy the whole site to GH pages, edit/rename build-bin/idl_to_gh_pages to build-bin/dist_to_gh_pages and make sure the IDL ends up in the dist ;)

codefromthecrypt commented 7 months ago

note, the current deployed swagger UI is not popping this up https://zipkin.io/zipkin-api/?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9leHViZXJhbnQtaWNlLnN1cmdlLnNoL3Rlc3QueWFtbCIKfQ==