search

strongloop / loopback-component-explorer

Browse and test your LoopBack app's APIs
Other
71 stars 102 forks source link

Fix the vulnerability caused by swagger-ui #254

Closed jannyHou closed 5 years ago

jannyHou commented 5 years ago

Description

See PR https://github.com/strongloop/loopback-component-explorer/pull/253, the vulnerability report requires an upgrade from swagger-ui@2.x to swagger-ui@3.x.

There is breaking change in swagger-ui@3.x to support OpenAPI 3.0.0. We need to

bajtos commented 5 years ago

Cross-posting https://github.com/strongloop/loopback-component-explorer/pull/250#issuecomment-423933969

Upgrading to swagger-ui@3 is a lot of effort. See https://github.com/strongloop/loopback-component-explorer/pull/209 for the previous attempt made by @STRML .

The following issue is the biggest blocker:

loopback-swagger need to produce auth metadata - see strongloop/loopback-swagger#65

The pull request also says:

The npm package no longer exports a bundle. I'm not sure if this is intentional. For this reason, I've added a dev-only script to copy from github releases.

I think this is no longer relevant, we are successfully using https://www.npmjs.com/package/swagger-ui-dist in LB4.

nabdelgadir commented 5 years ago

Proposed by @bajtos:

To fix the vulnerability from https://github.com/swagger-api/swagger-ui/issues/3847:

nabdelgadir commented 5 years ago

It seems like the files where the vulnerability exists in swagger-ui@3 don't exist on swagger-ui@2, so there's no way to backport the patch (also the issue's title, XSS Vulnerability with Swagger UI v3, mentions it's for v3). Since the effort to upgrade the dependency was agreed to be too much, should we close the issue? @strongloop/loopback-maintainers

Edit: if there are no objections, I'll close the issue but we can reopen it if needed.

nabdelgadir commented 5 years ago

I was able to reproduce the issue on a LoopBack 3 application using swagger-ui@2, so I'm reopening this issue.

nabdelgadir commented 5 years ago

Closing this issue as no vulnerabilities are reported when creating a new LoopBack 3 app or when doing npm install on this repo where swagger-ui@2.x is a dependency.