kyy/swagger-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): disable reading config params from URL search params (#7697)

Browse Source 
Reading configuration parameters from URL search params 
is by default no longer enabled. To re-enable it, set queryConfigEnabled
configuration parameter to true.

Functionally, this is a breaking change, but given we're just providing
a security vulnerability patch we're considering this a PATCH version bump
only.

Refs #4872
Refs https://github.com/swagger-api/swagger-ui/security/advisories/GHSA-qrmm-w75w-3wpx
This commit is contained in:
Vladimir Gorej
2021-12-09 17:28:17 +01:00
committed by GitHub
parent df7749b2fe
commit 01a3e55960
8 changed files with 30 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/core/index.js
View File

@@ -77,6 +77,7 @@ export default function SwaggerUI(opts) {
"patch",
"trace"
],
queryConfigEnabled: false,
// Initial set of plugins ( TODO rename this, or refactor - we don't need presets _and_ plugins. Its just there for performance.
// Instead, we can compile the first plugin ( it can be a collection of plugins ), then batch the rest.
@@ -108,7 +109,7 @@ export default function SwaggerUI(opts) {
}
}
let queryConfig = parseSearch()
let queryConfig = opts.queryConfigEnabled ? parseSearch() : {}
const domNode = opts.domNode
delete opts.domNode