swagger-ui icon indicating copy to clipboard operation
swagger-ui copied to clipboard

Published 20 hours ago verified publisher icon swagger-api

Make direct URLs with urls.primaryName query param possible without QUERY_CONFIG_ENABLED

Open gueuselambix opened this issue 2 years ago • 3 comments

Because of https://github.com/swagger-api/swagger-ui/security/advisories/GHSA-qrmm-w75w-3wpx you have disabled QUERY_CONFIG_ENABLED by default, but this breaks direct links to specs when working with urls.

The topbar itself adds "?urls.primaryName=" to the address bar, but when you refresh the page you end up on the first spec.

Users are now forced to enable QUERY_CONFIG_ENABLED (which has security implications), just to allow those direct URLs.

So I think you either don't add that queryParam to the address bar (because it sets the wrong expectation), or you explicitly allow that urls.primaryName without having to set QUERY_CONFIG_ENABLED to true

gueuselambix avatar May 20 '22 09:05 gueuselambix

Just stumbled over this problem myself and don't want introduce security issues by enabling QUERY_CONFIG_ENABLED. Swagger UI should be able to distinguish between a url and a valid primaryName. Hope this can be fixed soon.

itb-devs-de avatar May 23 '22 10:05 itb-devs-de

I would also be very interested in a fix and solution for this. Introducing a security issue to use the direct links is not really worth the possible problems coming later. Therefore, like the previous speakers, I hope that a fix will come quickly.

cgockeln42 avatar May 23 '22 11:05 cgockeln42

Any news on this?

gueuselambix avatar Jul 01 '22 10:07 gueuselambix