Swagger editor v3 description key has a XSS vulnerability

[webron]

From @amrtgaber on June 1, 2017 0:15

Swagger-ui version

3.x

Vulnerability details

The description field is not guarded against arbitrary javascript execution. Any YAML file can trigger the vulnerability, whether it's imported from url or copied and pasted directly in the editor. Here is an example YAML file that does so:

swagger: '2.0'
info:
  version: "0.0.1"
  title: Example Title
  description: <img src=x onerror="alert('all your base are belong to us')">
paths:
  /:
    get:
      responses:
        200:
          description: Successful response

Security risk

This opens a vector for general cross-site scripting attacks that easily expose sensitive information which can be remotely shared with the attacker (among several other types of risks).

Notes

I tested this vulnerability on http://editor.swagger.io/# by copying and pasting the above YAML file and saw the alert pop up. I hope this helps, let me know if I made a mistake. Also, seems Swagger editor version 2 had to contend with a similar issue: #908.

Copied from original issue: swagger-api/swagger-editor#1348

[webron]

From @attritionorg on June 1, 2017 2:45

Looks like http://seclists.org/bugtraq/2016/May/15 on first glance, which was apparently fixed in the past.

[webron]

Thanks for reporting. This is an issue with swagger-ui. Moving there for further treatment.

[amrtgaber]

@webron Thank you for putting this in the proper place.

[shockey]

We're sanitizing our Markdown now - this should be fixed. Thanks for raising the issue @amrtgaber!

[attritionorg]

@webron, can you confirm if this is the same issue I linked or different?

[amrtgaber]

@shockey Hey I might be testing this incorrectly but I still see the issue.

I just cloned the Swagger Editor master branch and did an npm install. It installed swagger-ui version 3.0.12 which I believe has this fix merged. Then I used the running locally instructions to get the editor loaded in the browser. To test, I pasted the sample YAML file from above. I still got the alert which makes me concerned that the vulnerability still exists. Is there something I'm missing? Sorry for any inconvenience.

[shockey]

@amrtgaber, thanks for checking. Swagger-UI 3.0.12 does not have the fix, it was released last Friday 😄

I'll be doing releases of all the projects this evening, which will contain the fix (presumably, this version will be 3.0.13).

If you want to confirm the fix before the release, you can use npm to install the latest master branch as a module: just change your swagger-ui dependency to "swagger-ui": "github:swagger-api/swagger-ui#master" and run npm install again.

It looks fixed from my end, but I'd really appreciate it if you'd double-check it.

[amrtgaber]

Sorry for jumping the gun too early on testing it!

I made the package.json change to update the swagger-ui dependency and ran npm install again then npm start. I cleared my cache and cookies then pasted the YAML file in. Unfortunately, I still see the alert. 🙁

Here's the relevant line from npm install:
swagger-ui@3.0.13 (git://github.com/swagger-api/swagger-ui.git#ea660553294c7288ebdf5aa9e29103927d870a20)

Let me know if I'm just doing this all wrong or if there's anything I can do to help.

[webron]

@amrtgaber huh, I was just about to ping you. Thanks for retesting. We'll see what @shockey has to say ;)

@attritionorg I cannot confirm if it's the same issue or not. This is a completely different code base than the referenced vesion.

[shockey]

@amrtgaber, looks like I may need to update the "running locally" docs, since they appear to have misled you. my apologies!

npm start serves the dist folder on an HTTP server. if you want to rebuild the dist folder, you'll need to run npm run build and then run npm start again.

alternatively, you can run npm run dev to get a hot-reloading dev server that does not require manual rebuilds.

i added a task for myself to rewrite that part of the readme, as it clearly sent you down the wrong path!

---

as for the XSS vulnerability - we deployed petstore.swagger.io this afternoon, and it appears to be fixed. i put your proof of concept into a gist here: https://gist.github.com/shockey/c67fe0a0fdd213af132360bc5b3a0b07, you can grab the raw url and load it into swagger-ui to confirm. make sure to force-refresh.

please request a reopen if you still see it happening after all that, and thank you for diligence in making sure this is fixed!

[amrtgaber]

@shockey No worries I should've scrutinized the build process more, that makes perfect sense!

I did npm run build and restarted my local server and BAM! no alert! 🎉

Thanks! You did an excellent job and thank you for walking me through the testing. Sorry I kept missing the mark, I wasn't trying to make your job any harder. 😄

Great work and excellent response time!

[webron]

Thanks for bringing up the issue, @amrtgaber. We look forward to future contributions.