Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create GitHub Security Advisory for server side request forgery in SwaggerUI dependency #2560

Closed
pshelton-skype opened this issue Nov 30, 2022 · 6 comments
Assignees
Labels
stale Stale issues or pull requests

Comments

@pshelton-skype
Copy link

Swashbuckle repackages the swagger-ui-dist npm package and thus inherits a server side request forgery vulnerability outlined in GHSA-qrmm-w75w-3wpx.

This was fixed in Swagger version 4.1.3 and released in Swashbuckle version 6.4 per 401c7cb.

Per discussion in github/advisory-database#900, the ideal security workflow is that the maintainers of the Swashbuckle library should create a separate GitHub Security Advisory in order to alert consumers to the vulnerability and describe any recommended mitigation or upgrade steps.

Per the best practices, I would recommend the advisory contain the following information:


Title: Server side request forgery in Swashbuckle.AspNetCore
Ecosystem: Nuget
Package Name: Swashbuckle.AspNetCore.SwaggerUI
Affected versions: < 6.4
Patched versions: 6.4
Description:

SwaggerUI supports displaying remote OpenAPI definitions through the ?url parameter. This enables robust demonstration capabilities on sites like editor.swagger.io where users often want to see what their OpenAPI definitions would look like rendered.

However, this functionality may pose a risk for users who host their own SwaggerUI instances. In particular, including remote OpenAPI definitions opens a vector for phishing attacks by abusing the trusted names/domains of self-hosted instances.

Resolution:
Upgrade to Swashbuckle.AspNetCore.SwaggerUI 6.4, which includes a change in the core SwaggerUI library to disable query parameters .

Alternatively, review the provided workaround in GHSA-qrmm-w75w-3wpx to disable the use of the ?url parameter.

@pshelton-skype
Copy link
Author

@domaindrivendev, can you assist?

@pshelton-skype
Copy link
Author

@domaindrivendev, please assist in notifying consumers of a security vulnerability.

@Havunen
Copy link

Havunen commented Feb 24, 2024

Fixed in DotSwashbuckle

@martincostello
Copy link
Collaborator

I don't have access to create the advisory, only @domaindrivendev can do so.

Copy link
Contributor

This issue is stale because it has been open for 60 days with no activity. It will be automatically closed in 14 days if no further updates are made.

@github-actions github-actions bot added the stale Stale issues or pull requests label Jun 15, 2024
Copy link
Contributor

github-actions bot commented Jul 2, 2024

This issue was closed because it has been inactive for 14 days since being marked as stale.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jul 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
stale Stale issues or pull requests
Projects
None yet
Development

No branches or pull requests

4 participants