Swashbuckle.AspNetCore icon indicating copy to clipboard operation
Swashbuckle.AspNetCore copied to clipboard

Published 20 hours ago verified publisher icon domaindrivendev

Create GitHub Security Advisory for server side request forgery in SwaggerUI dependency

Open pshelton-skype opened this issue 2 years ago • 4 comments

Swashbuckle repackages the swagger-ui-dist npm package and thus inherits a server side request forgery vulnerability outlined in https://github.com/advisories/GHSA-qrmm-w75w-3wpx.

This was fixed in Swagger version 4.1.3 and released in Swashbuckle version 6.4 per https://github.com/domaindrivendev/Swashbuckle.AspNetCore/commit/401c7cb81e5efe835ceb8aae23e82057d57c7d29.

Per discussion in https://github.com/github/advisory-database/pull/900, the ideal security workflow is that the maintainers of the Swashbuckle library should create a separate GitHub Security Advisory in order to alert consumers to the vulnerability and describe any recommended mitigation or upgrade steps.

Per the best practices, I would recommend the advisory contain the following information:

Title: Server side request forgery in Swashbuckle.AspNetCore Ecosystem: Nuget Package Name: Swashbuckle.AspNetCore.SwaggerUI Affected versions: < 6.4 Patched versions: 6.4 Description:

SwaggerUI supports displaying remote OpenAPI definitions through the ?url parameter. This enables robust demonstration capabilities on sites like editor.swagger.io where users often want to see what their OpenAPI definitions would look like rendered.

However, this functionality may pose a risk for users who host their own SwaggerUI instances. In particular, including remote OpenAPI definitions opens a vector for phishing attacks by abusing the trusted names/domains of self-hosted instances.

Resolution: Upgrade to Swashbuckle.AspNetCore.SwaggerUI 6.4, which includes a change in the core SwaggerUI library to disable query parameters .

Alternatively, review the provided workaround in https://github.com/advisories/GHSA-qrmm-w75w-3wpx to disable the use of the ?url parameter.

pshelton-skype avatar Nov 30 '22 19:11 pshelton-skype

@domaindrivendev, can you assist?

pshelton-skype avatar Dec 07 '22 17:12 pshelton-skype

@domaindrivendev, please assist in notifying consumers of a security vulnerability.

pshelton-skype avatar Dec 12 '22 19:12 pshelton-skype

Fixed in DotSwashbuckle

Havunen avatar Feb 24 '24 08:02 Havunen

I don't have access to create the advisory, only @domaindrivendev can do so.

martincostello avatar Apr 14 '24 11:04 martincostello

This issue is stale because it has been open for 60 days with no activity. It will be automatically closed in 14 days if no further updates are made.

github-actions[bot] avatar Jun 15 '24 01:06 github-actions[bot]

This issue was closed because it has been inactive for 14 days since being marked as stale.

github-actions[bot] avatar Jul 02 '24 01:07 github-actions[bot]