[
https://issues.apache.org/jira/browse/CXF-9075?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17895062#comment-17895062
]
Andriy Redko commented on CXF-9075:
-----------------------------------
OpenApiFeature feature has configLocation property [1], but beside that CXF
does not do any SwaggerUI hardening (except the URL of the spec).
[1] https://cxf.apache.org/docs/openapifeature.html
> html injection in swagger-ui
> ----------------------------
>
> Key: CXF-9075
> URL: https://issues.apache.org/jira/browse/CXF-9075
> Project: CXF
> Issue Type: Bug
> Affects Versions: 4.0.5
> Reporter: Dmitry
> Priority: Major
> Attachments: image-2024-11-03-00-46-59-847.png,
> image-2024-11-03-00-47-41-433.png, image-2024-11-03-00-48-18-602.png
>
>
> Good afternoon!
> I use cxf-rt-rs-service-description-openapi-v3 4.0.5
> Today I check for this vulnerability and it works :(:
> [https://www.youtube.com/watch?v=zWjOK5FxfEY]
> Steps to reproduce:
> 1) Get url of swagger ui:
> [http://127.0.0.1:18081/api-docs?url=/openapi.json]
> 2) Write some address with html injection there:
> [http://127.0.0.1:18081/api-docs?|http://127.0.0.1:18081/api-docs?url=/openapi.json]configUrl=[https://gist.githubusercontent.com/zenelite123/af28f9b61759b800cb65f93ae7227fb5/raw/04003a9372ac6a5077ad76aa3d20f2e76635765b/test.json#/]
> Result:
> !image-2024-11-03-00-48-18-602.png!
> Do you know how to prohibit set random url after "configUrl" and "config"
> like here:
> [https://openapi.wb.ru/content/swagger/api/ru/#/]
> I should do something with OpenApiFeature settings? Or change something in
> webjars.swagger-ui dependency?
> Thank!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
