fix(security): disable reading config params from URL search params (#7697)

Reading configuration parameters from URL search params is by default no longer enabled. To re-enable it, set queryConfigEnabled configuration parameter to true. Functionally, this is a breaking change, but given we're just providing a security vulnerability patch we're considering this a PATCH version bump only. Refs #4872 Refs https://github.com/swagger-api/swagger-ui/security/advisories/GHSA-qrmm-w75w-3wpx
2021-12-09 17:28:17 +01:00
parent df7749b2fe
commit 01a3e55960
8 changed files with 30 additions and 9 deletions
--- a/test/unit/docker/translator.js
+++ b/test/unit/docker/translator.js
@@ -109,6 +109,7 @@ describe("docker: env translator", function() {
      SwaggerUIBundle.plugins.DownloadUrl
    ],
    layout: "StandaloneLayout",
+    queryConfigEnabled: false,
    `))
    })

@@ -214,6 +215,7 @@ describe("docker: env translator", function() {
        SwaggerUIBundle.plugins.DownloadUrl
      ],
      layout: "StandaloneLayout",
+      queryConfigEnabled: false,
      url: "/swagger.json",
      urls: ["/one", "/two"],`

@@ -313,6 +315,7 @@ describe("docker: env translator", function() {
      plugins: [
        SwaggerUIBundle.plugins.DownloadUrl
      ],
+      queryConfigEnabled: false,
      configUrl: "/wow",
      "dom_id": "#swagger_ui",
      spec: { swagger: "2.0" },