New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Filter out url parameter when a non-relative path is provided. Also a… #1687
Filter out url parameter when a non-relative path is provided. Also a… #1687
Conversation
…dds line to copy_swagger_ui.sh to copy the public/swagger-ui directory over to the build/swagger-ui directory for builds.
b91843f
to
8810662
Compare
bin/copy_swagger_ui.sh
Outdated
@@ -6,3 +6,4 @@ | |||
# if it ever changes. | |||
cp node_modules/swagger-ui-dist/{*.js,*.css,*.png} public/swagger-ui | |||
cp node_modules/js-cookie/src/js.cookie.js public/swagger-ui | |||
if [ -f "build/swagger-ui/" ]; then cp -rf public/swagger-ui/* build/swagger-ui/; fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is merely a convenience thing for future editing in local dev.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is doing what you'd hope. The -f
test is for files, and you're testing a directory. Try if [ -d build/swagger-ui/ ]
. This test will always evaluate to false.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, I believe files make their way into the build/
directory by way of make client_build
, which in turn runs yarn build
. That copies all the files from public/
into build/
.
While probably harmless, I am concerned that adding this step in here could confuse the expectations around the build process (what puts things into build/
) in the future. I'd probably not add this unless the time savings of not needing to use make client_build
for this purpose is significant.
bin/copy_swagger_ui.sh
Outdated
@@ -6,3 +6,4 @@ | |||
# if it ever changes. | |||
cp node_modules/swagger-ui-dist/{*.js,*.css,*.png} public/swagger-ui | |||
cp node_modules/js-cookie/src/js.cookie.js public/swagger-ui | |||
if [ -f "build/swagger-ui/" ]; then cp -rf public/swagger-ui/* build/swagger-ui/; fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is doing what you'd hope. The -f
test is for files, and you're testing a directory. Try if [ -d build/swagger-ui/ ]
. This test will always evaluate to false.
bin/copy_swagger_ui.sh
Outdated
@@ -6,3 +6,4 @@ | |||
# if it ever changes. | |||
cp node_modules/swagger-ui-dist/{*.js,*.css,*.png} public/swagger-ui | |||
cp node_modules/js-cookie/src/js.cookie.js public/swagger-ui | |||
if [ -f "build/swagger-ui/" ]; then cp -rf public/swagger-ui/* build/swagger-ui/; fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, I believe files make their way into the build/
directory by way of make client_build
, which in turn runs yarn build
. That copies all the files from public/
into build/
.
While probably harmless, I am concerned that adding this step in here could confuse the expectations around the build process (what puts things into build/
) in the future. I'd probably not add this unless the time savings of not needing to use make client_build
for this purpose is significant.
public/swagger-ui/api.html
Outdated
var protocolRegex = /(http|https):*/; | ||
var isNonRelativePath = protocolRegex.test(req['url']); | ||
if (isNonRelativePath) { | ||
req['url'] = '/api/v1/swagger.yaml'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of silently redirecting to a known good URL, it might be better to set URL to null
.
Since nobody should be passing in a ?url=...
query string in the first place, the only way someone would get here is if they were either 1) tricked, or 2) specifically trying to use the query string. In either case it's probably better to have it result in an indication that things aren't working.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That seems reasonable. Using null yields an error state that looks like the attached screenshot.
I'll push this commit up. Does this reflect the sort of 'something is wrong' reaction that you were thinking of? I'm also going to go ahead and remove the convenience line mentioned in the prior comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, that is what I was hoping for!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
…dds line to copy_swagger_ui.sh to copy the public/swagger-ui directory over to the build/swagger-ui directory for builds.
Description
Filter out non-relative paths provided as the url parmeter within Swagger UI. This tool has a behavior will it will try to fetch the parameter for render, so we don't want to be doing this with external resources. There is a non-trivial risk that a malicious actor may take advantage.
Setup
Go here: https://my.move.mil/api/v1/docs?url=[some external link]
See that it is loading external content.
In your local environment you can compare the same by going here while your environment is running:
http://milmovelocal:3000/api/v1/docs?url=[some external link]).
Code Review Verification Steps
Querying the Database Safely
have been satisfied.
bin/run-prod-migrations
References
Screenshots
Bad situation:
Not bad situation: