fix(security): disable reading config params from URL search params (#7697)

Reading configuration parameters from URL search params is by default no longer enabled. To re-enable it, set queryConfigEnabled configuration parameter to true. Functionally, this is a breaking change, but given we're just providing a security vulnerability patch we're considering this a PATCH version bump only. Refs #4872 Refs https://github.com/swagger-api/swagger-ui/security/advisories/GHSA-qrmm-w75w-3wpx
2021-12-09 17:28:17 +01:00
parent df7749b2fe
commit 01a3e55960
8 changed files with 30 additions and 9 deletions
--- a/test/e2e-cypress/static/index.html
+++ b/test/e2e-cypress/static/index.html
@@ -56,7 +56,8 @@
        } else {
          window.completeCount = 1
        }
-      }
+      },
+      queryConfigEnabled: true,
    })

    window.ui = ui
--- a/test/e2e-cypress/static/pages/5138/index.html
+++ b/test/e2e-cypress/static/pages/5138/index.html
@@ -65,7 +65,8 @@
          } else {
            window.completeCount = 1
          }
-        }
+        },
+        queryConfigEnabled: true,
      })

      window.ui = ui
--- a/test/unit/docker/translator.js
+++ b/test/unit/docker/translator.js
@@ -109,6 +109,7 @@ describe("docker: env translator", function() {
      SwaggerUIBundle.plugins.DownloadUrl
    ],
    layout: "StandaloneLayout",
+    queryConfigEnabled: false,
    `))
    })

@@ -214,6 +215,7 @@ describe("docker: env translator", function() {
        SwaggerUIBundle.plugins.DownloadUrl
      ],
      layout: "StandaloneLayout",
+      queryConfigEnabled: false,
      url: "/swagger.json",
      urls: ["/one", "/two"],`

@@ -313,6 +315,7 @@ describe("docker: env translator", function() {
      plugins: [
        SwaggerUIBundle.plugins.DownloadUrl
      ],
+      queryConfigEnabled: false,
      configUrl: "/wow",
      "dom_id": "#swagger_ui",
      spec: { swagger: "2.0" },