fix: xss vulnerability in embed swagger-ui (#10593)

Solution: - update to recent version: v4.1.0  ## Description ### How to reproduce Open following URL, click the `Authorize` button, click the `Authorize` button in the login window, there'll be an alert that shows a successful XSS attack: ``` http://localhost:26654/swagger/?url=https://raw.githubusercontent.com/semsem123s/semsem-template/main/xss1.yaml ```  --- ### Author Checklist *All items are required. Please add a note to the item if the item is not applicable and please add links to any relevant follow up issues.* I have... - [ ] included the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] added `!` to the type prefix if API or client breaking change - [ ] targeted the correct branch (see [PR Targeting](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#pr-targeting)) - [ ] provided a link to the relevant issue or specification - [ ] followed the guidelines for [building modules](https://github.com/cosmos/cosmos-sdk/blob/master/docs/building-modules) - [ ] included the necessary unit and integration [tests](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#testing) - [ ] added a changelog entry to `CHANGELOG.md` - [ ] included comments for [documenting Go code](https://blog.golang.org/godoc) - [ ] updated the relevant documentation or specification - [ ] reviewed "Files changed" and left comments if necessary - [ ] confirmed all CI checks have passed ### Reviewers Checklist *All items are required. Please add a note if the item is not applicable and please add your handle next to the items reviewed if you only reviewed selected items.* I have... - [ ] confirmed the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] confirmed `!` in the type prefix if API or client breaking change - [ ] confirmed all author checklist items have been addressed - [ ] reviewed state machine logic - [ ] reviewed API design and naming - [ ] reviewed documentation is accurate - [ ] reviewed tests and test coverage - [ ] manually tested (if applicable)
cosmos · Dec 1, 2021 · 2361463 · 2361463
1 parent cf6ace5
commit 2361463
Show file tree

Hide file tree

Showing 18 changed files with 58 additions and 54,974 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -163,6 +163,7 @@ Ref: https://keepachangelog.com/en/1.0.0/
 * [\#10466](https://github.com/cosmos/cosmos-sdk/issues/10466) Fixes error with simulation tests when genesis start time is randomly created after the year 2262
 * [\#10394](https://github.com/cosmos/cosmos-sdk/issues/10394) Fixes issue related to grpc-gateway of account balance by
   ibc-denom.
+* [#10593](https://github.com/cosmos/cosmos-sdk/pull/10593) Update swagger-ui to v4.1.0 to fix xss vulnerability.
 
 ### State Machine Breaking
 

diff --git a/client/docs/statik/statik.go b/client/docs/statik/statik.go
diff --git a/client/docs/swagger-ui/favicon-16x16.png b/client/docs/swagger-ui/favicon-16x16.png
diff --git a/client/docs/swagger-ui/favicon-32x32.png b/client/docs/swagger-ui/favicon-32x32.png
diff --git a/client/docs/swagger-ui/index.html b/client/docs/swagger-ui/index.html
@@ -4,9 +4,9 @@
   <head>
     <meta charset="UTF-8">
     <title>Swagger UI</title>
-    <link rel="stylesheet" type="text/css" href="swagger-ui.css" >
-    <link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
-    <link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
+    <link rel="stylesheet" type="text/css" href="./swagger-ui.css" />
+    <link rel="icon" type="image/png" href="./favicon-32x32.png" sizes="32x32" />
+    <link rel="icon" type="image/png" href="./favicon-16x16.png" sizes="16x16" />
     <style>
       html
       {
@@ -33,12 +33,11 @@
   <body>
     <div id="swagger-ui"></div>
 
-    <script src="swagger-ui-bundle.js"> </script>
-    <script src="swagger-ui-standalone-preset.js"> </script>
+    <script src="./swagger-ui-bundle.js" charset="UTF-8"> </script>
+    <script src="./swagger-ui-standalone-preset.js" charset="UTF-8"> </script>
     <script>
     window.onload = function() {
-
-      // Build a system
+      // Begin Swagger UI call region
       const ui = SwaggerUIBundle({
         url: "./swagger.yaml",
         dom_id: '#swagger-ui',
@@ -51,10 +50,11 @@
           SwaggerUIBundle.plugins.DownloadUrl
         ],
         layout: "StandaloneLayout"
-      })
+      });
+      // End Swagger UI call region
 
-      window.ui = ui
-    }
+      window.ui = ui;
+    };
   </script>
   </body>
 </html>
diff --git a/client/docs/swagger-ui/oauth2-redirect.html b/client/docs/swagger-ui/oauth2-redirect.html
@@ -1,8 +1,9 @@
 <!doctype html>
 <html lang="en-US">
-<body onload="run()">
-</body>
-</html>
+<head>
+    <title>Swagger UI: OAuth2 Redirect</title>
+</head>
+<body>
 <script>
     'use strict';
     function run () {
@@ -17,19 +18,20 @@
             qp = location.search.substring(1);
         }
 
-        arr = qp.split("&")
-        arr.forEach(function (v,i,_arr) { _arr[i] = '"' + v.replace('=', '":"') + '"';})
+        arr = qp.split("&");
+        arr.forEach(function (v,i,_arr) { _arr[i] = '"' + v.replace('=', '":"') + '"';});
         qp = qp ? JSON.parse('{' + arr.join() + '}',
                 function (key, value) {
-                    return key === "" ? value : decodeURIComponent(value)
+                    return key === "" ? value : decodeURIComponent(value);
                 }
-        ) : {}
+        ) : {};
 
-        isValid = qp.state === sentState
+        isValid = qp.state === sentState;
 
         if ((
-          oauth2.auth.schema.get("flow") === "accessCode"||
-          oauth2.auth.schema.get("flow") === "authorizationCode"
+          oauth2.auth.schema.get("flow") === "accessCode" ||
+          oauth2.auth.schema.get("flow") === "authorizationCode" ||
+          oauth2.auth.schema.get("flow") === "authorization_code"
         ) && !oauth2.auth.code) {
             if (!isValid) {
                 oauth2.errCb({
@@ -45,7 +47,7 @@
                 oauth2.auth.code = qp.code;
                 oauth2.callback({auth: oauth2.auth, redirectUrl: redirectUrl});
             } else {
-                let oauthErrorMsg
+                let oauthErrorMsg;
                 if (qp.error) {
                     oauthErrorMsg = "["+qp.error+"]: " +
                         (qp.error_description ? qp.error_description+ ". " : "no accessCode received from the server. ") +
@@ -64,4 +66,10 @@
         }
         window.close();
     }
+
+    window.addEventListener('DOMContentLoaded', function () {
+      run();
+    });
 </script>
+</body>
+</html>