Merge pull request #1687 from transcom/rk-163599170-swagger-ui-expose…

…d-tspstagingmovemil

Filter out url parameter when a non-relative path is provided. Also a…

bin/copy_swagger_ui.sh

@@ -5,4 +5,4 @@
 # will need to be manually updated based on node_modules/swagger-ui-dist/index.html
 # if it ever changes.
 cp node_modules/swagger-ui-dist/{*.js,*.css,*.png} public/swagger-ui
-cp node_modules/js-cookie/src/js.cookie.js public/swagger-ui
+cp node_modules/js-cookie/src/js.cookie.js public/swagger-ui

public/swagger-ui/api.html

@@ -82,6 +82,15 @@
         console.warn('Unable to retrieve CSRF Token from cookie');
       }
     }
+    // Add check for protocol so that we know if someone tries to throw a non-relative path in the url parameter.
+    // This is here to prevent malicious actors using the parameter to execute arbitrary malicious code on an
+    // unsuspecting user (swagger-ui behavior causes this to happen otherwise).
+    var protocolRegex = /(http|https):*/;
+    var isNonRelativePath = protocolRegex.test(req['url']);
+    if (isNonRelativePath) {
+      req['url'] = null;
+    }
+
     return req;
   };
 

public/swagger-ui/internal.html

@@ -82,6 +82,15 @@
         console.warn('Unable to retrieve CSRF Token from cookie');
       }
     }
+    // Add check for protocol so that we know if someone tries to throw a non-relative path in the url parameter.
+    // This is here to prevent malicious actors using the parameter to execute arbitrary malicious code on an
+    // unsuspecting user (swagger-ui behavior causes this to happen otherwise).
+    var protocolRegex = /(http|https):*/;
+    var isNonRelativePath = protocolRegex.test(req['url']);
+    if (isNonRelativePath) {
+      req['url'] = null;
+    }
+
     return req;
   };