kyy/swagger-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): disable reading config params from URL search params (#7697)

Browse Source 
Reading configuration parameters from URL search params 
is by default no longer enabled. To re-enable it, set queryConfigEnabled
configuration parameter to true.

Functionally, this is a breaking change, but given we're just providing
a security vulnerability patch we're considering this a PATCH version bump
only.

Refs #4872
Refs https://github.com/swagger-api/swagger-ui/security/advisories/GHSA-qrmm-w75w-3wpx
This commit is contained in:
Vladimir Gorej
2021-12-09 17:28:17 +01:00
committed by GitHub
parent df7749b2fe
commit 01a3e55960
8 changed files with 30 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
flavors/swagger-ui-react/index.jsx
View File

@@ -21,6 +21,7 @@ export default class SwaggerUI extends React.Component {
onComplete: this.onComplete,
docExpansion: this.props.docExpansion,
supportedSubmitMethods: this.props.supportedSubmitMethods,
queryConfigEnabled: this.props.queryConfigEnabled,
defaultModelExpandDepth: this.props.defaultModelExpandDepth,
displayOperationId: this.props.displayOperationId,
tryItOutEnabled: this.props.tryItOutEnabled,
@@ -29,7 +30,7 @@ export default class SwaggerUI extends React.Component {
showMutatedRequest: typeof this.props.showMutatedRequest === "boolean" ? this.props.showMutatedRequest : true,
deepLinking: typeof this.props.deepLinking === "boolean" ? this.props.deepLinking : false,
showExtensions: this.props.showExtensions,
filter: ["boolean", "string"].includes(typeof this.props.filter) ? this.props.filter : false,
filter: ["boolean", "string"].includes(typeof this.props.filter) ? this.props.filter : false,
})
this.system = ui
@@ -99,6 +100,7 @@ SwaggerUI.propTypes = {
supportedSubmitMethods: PropTypes.arrayOf(
PropTypes.oneOf(["get", "put", "post", "delete", "options", "head", "patch", "trace"])
),
queryConfigEnabled: PropTypes.bool,
plugins: PropTypes.arrayOf(PropTypes.object),
displayOperationId: PropTypes.bool,
showMutatedRequest: PropTypes.bool,
@@ -119,6 +121,7 @@ SwaggerUI.propTypes = {
SwaggerUI.defaultProps = {
layout: "BaseLayout",
supportedSubmitMethods: ["get", "put", "post", "delete", "options", "head", "patch", "trace"],
queryConfigEnabled: false,
docExpansion: "list",
defaultModelsExpandDepth: 1,
presets: [],