fix(security): disable reading config params from URL search params (#7697)

Reading configuration parameters from URL search params is by default no longer enabled. To re-enable it, set queryConfigEnabled configuration parameter to true. Functionally, this is a breaking change, but given we're just providing a security vulnerability patch we're considering this a PATCH version bump only. Refs #4872 Refs https://github.com/swagger-api/swagger-ui/security/advisories/GHSA-qrmm-w75w-3wpx
2021-12-09 17:28:17 +01:00
parent df7749b2fe
commit 01a3e55960
8 changed files with 30 additions and 9 deletions
--- a/docker/configurator/translator.js
+++ b/docker/configurator/translator.js
@@ -43,6 +43,13 @@ const defaultBaseConfig = {
      type: "string",
      base: true
    }
+  },
+  queryConfigEnabled: {
+    value: "false",
+    schema: {
+      type: "boolean",
+      base: true,
+    }
  }
 }

@@ -51,14 +58,14 @@ function objectToKeyValueString(env, { injectBaseConfig = false, schema = config
  const keys = Object.keys(env)

  // Compute an intermediate representation that holds candidate values and schemas.
-  // 
+  //
  // This is useful for deduping between multiple env keys that set the same
  // config variable.

  keys.forEach(key => {
    const varSchema = schema[key]
    const value = env[key]
-    
+
    if(!varSchema) return

    if(varSchema.onFound) {
@@ -88,8 +95,8 @@ function objectToKeyValueString(env, { injectBaseConfig = false, schema = config

  Object.keys(valueStorage).forEach(key => {
    const value = valueStorage[key]
-    
-    const escapedName = /[^a-zA-Z0-9]/.test(key) ? `"${key}"` : key 
+
+    const escapedName = /[^a-zA-Z0-9]/.test(key) ? `"${key}"` : key

    if (value.schema.type === "string") {
      result += `${escapedName}: "${value.value}",\n`
@@ -101,4 +108,4 @@ function objectToKeyValueString(env, { injectBaseConfig = false, schema = config
  return result.trim()
 }

-module.exports = objectToKeyValueString
+module.exports = objectToKeyValueString
--- a/docker/configurator/variables.js
+++ b/docker/configurator/variables.js
@@ -23,6 +23,10 @@ const standardVariables = {
    type: "string",
    name: "urls.primaryName"
  },
+  QUERY_CONFIG_ENABLED: {
+    type: "boolean",
+    name: "queryConfigEnabled"
+  },
  LAYOUT: {
    type: "string",
    name: "layout"