transcom · Ryan-Koch · Feb 4, 2019 · Jan 31, 2019 · Jan 31, 2019 · Jan 31, 2019
diff --git a/bin/copy_swagger_ui.sh b/bin/copy_swagger_ui.sh
@@ -5,4 +5,4 @@
 # will need to be manually updated based on node_modules/swagger-ui-dist/index.html
 # if it ever changes.
 cp node_modules/swagger-ui-dist/{*.js,*.css,*.png} public/swagger-ui
-cp node_modules/js-cookie/src/js.cookie.js public/swagger-ui
+cp node_modules/js-cookie/src/js.cookie.js public/swagger-ui
diff --git a/public/swagger-ui/api.html b/public/swagger-ui/api.html
@@ -82,6 +82,15 @@
         console.warn('Unable to retrieve CSRF Token from cookie');
       }
     }
+    // Add check for protocol so that we know if someone tries to throw a non-relative path in the url parameter.
+    // This is here to prevent malicious actors using the parameter to execute arbitrary malicious code on an
+    // unsuspecting user (swagger-ui behavior causes this to happen otherwise).
+    var protocolRegex = /(http|https):*/;
+    var isNonRelativePath = protocolRegex.test(req['url']);
+    if (isNonRelativePath) {
+      req['url'] = null;
+    }
+
     return req;
   };
 

diff --git a/public/swagger-ui/internal.html b/public/swagger-ui/internal.html
@@ -82,6 +82,15 @@
         console.warn('Unable to retrieve CSRF Token from cookie');
       }
     }
+    // Add check for protocol so that we know if someone tries to throw a non-relative path in the url parameter.
+    // This is here to prevent malicious actors using the parameter to execute arbitrary malicious code on an
+    // unsuspecting user (swagger-ui behavior causes this to happen otherwise).
+    var protocolRegex = /(http|https):*/;
+    var isNonRelativePath = protocolRegex.test(req['url']);
+    if (isNonRelativePath) {
+      req['url'] = null;
+    }
+
     return req;
   };