Swagger interface allows the injection of JavaScript code
catalinapopa-uipath opened this issue · comments
Hello,
I've come across this security issue with flasgger.
Swagger interface allows the injection of JavaScript code, which can be injected using the remote Swagger configUrl and url. As a result, someone could execute arbitrary JavaScript code in the context of the domain that hosts the swagger file.
Examples:
- https://localhost:8000/swagger/index.html?url=https://jumpy-floor.surge.sh/test.yaml#/activationcode/updateActivationCode
- https://localhost:8000/swagger/index.html?configUrl=https://jumpy-floor.surge.sh/test.yaml#/activationcode/updateActivationCode
I've tried to remove the query parameters and to reset the values for queryConfig from flasgger\ui3\static\swagger-ui-bundle.js.map
but did not help.
How can I remove completely query parameters from swagger?