Update dependency swagger-ui to v4 [SECURITY]

[udemyrenovateapp]

This PR contains the following updates:

Package	Type	Update	Change
swagger-ui	dependencies	major	^3.13.6 -> ^4.0.0

GitHub Vulnerability Alerts

GHSA-x9p2-fxq6-2m5f

Versions of swagger-ui prior to 3.18.0 are vulnerable to Reverse Tabnapping. The package uses target='_blank' in anchor tags, allowing attackers to access window.opener for the original page. This is commonly used for phishing attacks.

Recommendation

Upgrade to version 3.18.0 or later.

CVE-2019-17495

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@​import within the JSON data was a functional attack method.

GHSA-4f9m-pxwh-68hg

Versions of swagger-ui prior to 3.20.9 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize URLs used in the OAuth auth flow, which may allow attackers to execute arbitrary JavaScript.

Recommendation

Upgrade to version 3.20.9 or later.

GHSA-qrmm-w75w-3wpx

SwaggerUI supports displaying remote OpenAPI definitions through the ?url parameter. This enables robust demonstration capabilities on sites like petstore.swagger.io, editor.swagger.io, and similar sites, where users often want to see what their OpenAPI definitions would look like rendered.

However, this functionality may pose a risk for users who host their own SwaggerUI instances. In particular, including remote OpenAPI definitions opens a vector for phishing attacks by abusing the trusted names/domains of self-hosted instances.

An example scenario abusing this functionality could take the following form:

• https://example.com/api-docs hosts a version of SwaggerUI with ?url= query parameter enabled.
• Users will trust the domain https://example.com and the contents of the OpenAPI definition.
• A malicious actor may craft a similar OpenAPI definition and service that responds to the defined APIs at https://evildomain.
• Users mistakenly click a phishing URL like https://example.com/api-docs?url=https://evildomain/fakeapi.yaml and enters sensitive data via the "Try-it-out" feature.

We do want to stress that this attack vector is limited to scenarios that actively trick users into divulging sensitive information. The ease of this is highly contextual and, therefore, the threat model may be different for individual users and organizations. It is not possible to perform non-interactive attacks (e.g., cross-site scripting or code injection) through this mechanism.

Resolution

We've made the decision to disable query parameters (#​4872) by default starting with SwaggerUI version 4.1.3. Please update to this version when it becomes available (ETA: 2021 December). Users will still be able to be re-enable the options at their discretion. We'll continue to enable query parameters on the Swagger demo sites.

Workaround

If you host a version of SwaggerUI and wish to mitigate this issue immediately, you are encouraged to add the following custom plugin code:

SwaggerUI({
  //  ...other configuration options,
  plugins: [function UrlParamDisablePlugin() {
    return {
      statePlugins: {
        spec: {
          wrapActions: {
            // Remove the ?url parameter from loading an external OpenAPI definition.
            updateUrl: (oriAction) => (payload) => {
              const url = new URL(window.location.href)
              if (url.searchParams.has('url')) {
                url.searchParams.delete('url')
                window.location.replace(url.toString())
              }
              return oriAction(payload)
            }
          }
        }
      }
    }
  }],
})

Future UX work

Through the exploration of this issue, it became apparent that users may not be aware to which web server the Try-it-out function will send requests. While this information is currently presented at the top of the page, understanding may improve by displaying it closer to the "Execute" button where requests are actually made. We'll be exploring these UX improvements over the coming months and welcome community input. Please create a Feature Request under the GitHub Issue tab to start a conversation with us and the community.

Reflected XSS attack

Warning in versions < 3.38.0, it is possible to combine the URL options (as mentioned above) with a vulnerability in DOMPurify (https://www.cvedetails.com/cve/CVE-2020-26870/) to create a reflected XSS vector. If your version of Swagger UI is older than 3.38.0, we suggest you upgrade or implement the workaround as mentioned above.

CVE-2018-25031

Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.

---

Release Notes

swagger-api/swagger-ui (swagger-ui)

v4.1.3: Swagger UI v4.1.3 Released!

Compare Source

Bug Fixes

• security: disable reading config params from URL search params (#​7697) (01a3e55), closes #​4872, security advisory GHSA-qrmm-w75w-3wpx

Note: to re-enable the functionality of reading config params from URL, set new queryConfigEnabled core parameter to true. More info in documentation.

v4.1.2: Swagger UI v4.1.2 Released!

Compare Source

Bug Fixes

• request JumpToPath component always as container (f3d3898)

v4.1.1: Swagger UI v4.1.1 Released!

Compare Source

Bug Fixes

• introduce Error Boundaries to handle unexpected failures (#​7671) (b299be7), closes #​7647

v4.1.0: Swagger UI v4.1.0 Released!

Compare Source

Bug Fixes

• add source map of css file to swagger-ui-react (#​7601) (83021df)
• highlight-code: fix regression code highlight behavior (7cc2657), closes #​7603
• swagger-ui-react: add showExtension propType (4a78313), closes #​5892

Features

• swagger-ui-react: add request snippets configuration (#​7536) (3fea224), closes #​7523
• swagger-ui-react: add showExtensions option (#​7563) (d7ec726), closes #​5892
• swagger-ui-react: add support of filter prop (#​7547) (b71446c), closes #​7546

v4.0.1: Swagger UI v4.0.1 Released!

Compare Source

Bug Fixes

• servers: prevent UI crash when changing Server with variables (fb7e98a), closes #​7525

v4.0.0: Swagger UI v4.0.0 Released!

Compare Source

Breaking changes

• use React 17.x and Redux 4.x

Features

• allow using functional components with hooks (c31cb30)

Bug Fixes

• param-body: fix loosing focus in Try It when typing (#​7548) (5a5a27e), closes #​7477
• root-inject: handle errors in functional components properly (e364073)
• servers: compensate when server list contains a null value (1283f52), closes #​7341
• ui: eliminate copy button icon misaligned in Firefox (#​7542) (f5b0446), closes #​7481

Other changes

• consolidate production and development dependencies

More information in: https://github.com/swagger-api/swagger-ui/issues/7341
Release article: https://swagger.io/blog/news/what-s-new-in-swaggerui-v4-and-swaggereditor-v4/

v3.52.5: Swagger UI v3.52.5 Released!

Compare Source

Bug Fixes

• highlight-code: handle mousewheel events properly (#​7554) (0fc429f), closes #​7497

v3.52.4: Swagger UI v3.52.4 Released!

Compare Source

Bug Fixes

• fix issue with highlight code scrolling causing console error (#​7497) (#​7519) (24aaa53)
• remove redundant whitespaces in API key auth popup (#​7538) (a740f3d)
• rename request snippets configuration props (#​7535) (90c8a73), closes #​7534
• paths: break long paths with <wbr> (#​7516) (f88334a), closes #​7513
• UI: correct width of HTTP request method names (#​7527) (fc7cdb8), closes #​7479
• ux: update the buttons of the example tabs to be displayed as links (#​7517) (ff5deb3), closes #​7464 #​7464

v3.52.3: Swagger UI v3.52.3 Released!

Compare Source

Bug Fixes

• a11n: provide proper a11n for response example tabs (#​7464) (8ffb1ae), closes #​7463 #​7350
• sample-gen: generate the correct number of properties (#​7432) (f1aab53)
• try-it-out: fix the width of image responses (#​7495) (cc700f0), closes #​5578

v3.52.2: Swagger UI v3.52.2 Released!

Compare Source

Bug Fixes

• Dockerfile: fix security issue in docker image (3c9061e), closes #​7445
• security: fix security issue in prismjs production dep (#​7493) (2a1b710), closes #​7492
• security: fix security issue in url-parse production dep

v3.52.1: Swagger UI v3.52.1 Released!

Compare Source

Bug Fixes

• build-security: do not expose hostname to build framents (#​7491) (fdef4ea), closes #​7446
• security: bump swagger-client to v3.16.1 (5029b81), closes #​7473

v3.52.0: Swagger UI v3.52.0 Released!

Compare Source

Features

• js-yaml: update our main YAML parser to v4.1.0 (no esprima anymore in bundle) (3248428), closes #​6804

v3.51.2: Swagger UI v3.51.2 Released!

Compare Source

Bug Fixes

• deps: bump swagger-client to v3.14.1 (#​7440) (8daf4e4), closes #​7436
• minimum runtime Node.js version is now => 12.4

v3.51.1: Swagger UI v3.51.1 Released!

Compare Source

Bug Fixes

• sample-gen: parameter array missing items fallback (#​7376) (de3d063), closes #​7375

v3.51.0: Swagger UI v3.51.0 Released!

Compare Source

Features

• oas3: Show file upload for schema binary format (#​7325) (13c110a), closes #​5636

Bug Fixes

• sample-gen: oas3 form-data object should generate example (#​7355) (87ded99)
• try-it-out: button and inner text spacing (#​7357) (14be45d)
• ui: parameter placeholder should only display name (#​7123) (3a0f72f)

Deprecation Warning

Swagger UI now requires Node.js v12. Node.js v10 has reached its EOL on 30-04-2021. Documentation has been updated in this PR #​7359

v3.50.0: Swagger UI v3.50.0 Released!

Compare Source

Features

• wrapComponents: new chain configuration option (#​7236) (516e666)

Bug Fixes

• system: allow wrapping selectors in chain (#​7304) (96cdf00), closes #​7157

Deprecation warning

• wrapComponents: The new configuration option introduced in this version sets the default to legacy, with an opt-in setting for chain. In a future version, this configuration option will toggle to chain as default, as it is the intended fixed correct behavior. If your application expects and/or requires the legacy option, please update your application accordingly. If your application is agnostic towards the either chain or legacy, no change is needed.

v3.49.0: Swagger UI v3.49.0 Released!

Compare Source

Features

• Accessibility improvements (#​7224) (72811bd)

Bug Fixes

• download button width (#​7230) (9f62154)

v3.48.0: Swagger UI v3.48.0 Released!

Compare Source

Bug Fixes

• authorization: include oauth endpoint description (#​7195) (5906dfa)
• syntaxHighlighter: request and response examples for json cases (#​7199) (92f1507)
• try-it-out: required properties (#​7206) (53829f1)

Features

• docs: make webpack-getting-started more universal (#​7191) (f239965)

v3.47.1: Swagger UI v3.47.1 Released!

Compare Source

[email protected] was a valid but incomplete release. This release should contain downstream release jobs.

v3.47.0: Swagger UI v3.47.0 Released!

Compare Source

Features

• remove node_native option from request snippets plugin (#​7181) (2373a83)
• dev: migrate to local-web-server (#​7174) (01c8de4)

Bug Fixes

• update snippet generator map to support React 16 (#​7154) (7fc2780)

v3.46.0: Swagger UI v3.46.0 Released!

Compare Source

Features

• sample-gen: infer implicit type and validation constraint types (#​7117) (032bd71)
• download of text/csv now uses .csv extension (#​7141) (75865f3)
• markdown sanitization of form tag (#​7146) (f5b84e5)

Bug Fixes

• add aria label to select element for content types (#​7133) (4abbc62)
• array constraint validation only if value was provided (#​7112) (4103e0f)

Other

• swagger-client: bump to v3.13.2

v3.45.1: Swagger UI v3.45.1 Released!

Compare Source

Bug Fixes

• response examples fallback (#​7065) (9a2b646)
• cypress: tweak to ensure an element exists before test (#​7074) (d17a81e)

v3.45.0: Swagger UI v3.45.0 Released!

Compare Source

Features

• request snippets plugin (#​6910) (8405fa0)
• sample gen should incorporate schema validation constraint (#​7043) (3ead825)

Bug Fixes

• auth: support pkce when using basic auth header (#​7038) (f23a9d6)
• auth: url change should flush auth (#​7046) (219d886)
• sample-gen: allOf, oneOf lifting should consider properties and items (#​7041) (f9e54a2)
• sample-gen: xml attr with media-type example value (#​7045) (902241c)
• ui: prevent example select from overflowing (#​7060) (0723622)
• preserve multipart file part position in requestData (#​7008) (15b8c0c)

v3.44.1: Swagger UI v3.44.1 Released!

Compare Source

Bug Fixes

• json schema array items (#​7007) (2016c18)
• multipart enum initial value not set (#​7004) (68bd61a)
• optional empty validation (#​7003) (d32bd1a)

v3.44.0: Swagger UI v3.44.0 Released!

Compare Source

Bug Fixes

• info: use externalDocsUrl check to render Link (#​6997) (b7d3d1c)
• lint: use semicolons + closing link in html (#​6951) (17093f2)
• lint: put script tag in body in oauth2-redirect.html (#​6958)

Features

• models: collapsed schema content should be clickable (#​6942) (0e6dc04)
• verbose Failed to fetch error (#​6938) (4db2edc)
• docs: sample datepicker plugin with json schema components (#​6939) (ba74c02)

v3.43.0: Swagger UI v3.43.0 Released!

Compare Source

Features

• use example gen for multiple example value retainer examples (#​6920) (fad81f8)
• validate nullable (#​6928) (a2a561e)

Bug Fixes

• support OAuth2 PKCE when using the OIDC authorization_code flow (#​6914) (5e69d3c)
• sample-gen: enum without type should be handled by sample-gen (#​6912) (7ead9ba)

Other

swagger-cllient: version bump to 3.13.1

v3.42.0: Swagger UI v3.42.0 Released!

Compare Source

Features

• enhance parameter validation (#​6878) (5c4dfc2)
• sample-gen multi and form media-type (#​6874) (8ed6c34)

Bug Fixes

• responseBody: json response highlighting (#​6871) (13fea13), closes #​6508

v3.41.1: Swagger UI v3.41.1 Released!

Compare Source

Bug Fixes

• swagger-ui-react: src filename extension to transpile (#​6876) (e538e26)

v3.41.0: Swagger UI v3.41.0 Released!

Compare Source

Features

• sample-gen: yaml sample generation (#​6858) (470e2fe)
• ux: enhance media-type switching experience in RequestBodyEditor (#​6837) (e877580)
• config: add tryItOutEnabled configuration (#​6865) (265bdc0)
• swagger-client: bump to v3.12.2

Bug Fixes

• buildUrl: relative url is invalid URL (OAS3) or non-url (OAS2) (#​6864) (a5eb3dc)
• sample-gen: case yaml parsed example is number but string schema (#​6872) (5b2ad68)
• ux: ensure that optional security schema is rendered without padlock. (#​6839) (eddde95)
• webpack: assets should not be treaded as esModule (#​6861) (cdfb64f)

v3.40.0: Swagger UI v3.40.0 Released!

Compare Source

Features

• doc: added introduction (#​6806) (d80cc40)
• docker: add docker support for persist authorization variable (#​6832) (a7ba55a)
• group / sort parameters by location (#​6745) (ddaee4e)

Bug Fixes

• sample-gen: should render additionalProperties in example (#​6821) (35cb925)
• sample-gen: should return json literal example (#​6827) (a2f7917)
• sample-gen: should return xml literal example (#​6822) (59b42bb)
• spec-selector: isMediaTypeSchemaPropertiesEqual should handle case where literal media-types are equal. (#​6820) (25433c4)
• style: code should should wrap line (#​6831) (7087210), closes #​6764

v3.39.0: Swagger UI v3.39.0 Released!

Compare Source

Features

• ux: Disabled Execute button while request is in progress (#​6776) (2bf39e0)

Bug Fixes

• sample-gen: first oneOf or anyOf should be combined with schema (#​6775) (0f541a1)
• style: response data flows off the screen (#​6764) (85a3ec9)
• examples: Request Body examples should respect media-type (#​6739) (68e9b1b)

v3.38.0: Swagger UI v3.38.0 Released!

Compare Source

Features

• auth: Add OpenID Connect Discovery (OICD) support (#​3517) (#​6549) (0807687)

Bug Fixes

• components: fix keys rendering in React 16 using .entrySeq() (#​6685) (20a8987)
• security fixes applied in [email protected], [email protected], and [email protected]

v3.37.2: Swagger UI v3.37.2 Released!

Compare Source

• chore: update swagger-js to v3.12.1 which brings better support for $ref resolving (#​4765) (#​5625 )
• chore(release): fix release v3.37.1 release
• chore(package): allow auto-update of swagger-client (d3fb9ab)

v3.37.1: Swagger UI v3.37.1 Released!

Compare Source

Warning

This is a failed release which is identical to v3.37.0. Please install v3.37.2 instead.

v3.37.0: Swagger UI v3.37.0 Released!

Compare Source

Features

• swagger-ui-react: add support for layout prop (#​6639) (a6673d7)

Bug Fixes

• examples: properly update memoized value in non-schema case (#​6641) (d2ef8f3), closes #​6631
• xml: example generation if an array has an example (#​6634) (24225e4), closes #​6627

v3.36.2: Swagger UI v3.36.2 Released!

Compare Source

Bug Fixes

• duplicate labels in Servers UI (#​6568) (1f10240)
• externalDocs url for tags when using swagger v2.0 (#​6579) (6db4def)
• schema example: xml gen should follow json gen behavior (#​6555) (288c89b), closes #​6470 #​6540 #​4943
• cypress: oas3-request-body-required flakineess (#​6583) (64ae7af)

v3.36.1: Swagger UI v3.36.1 Released!

Compare Source

• swagger-client: update to v3.12.0. Fixes nested allOf/oneOf schema resolution in #​5194, #​5923, #​4672

Bug Fixes

• cypress: oas3-multiple-media-types flakiness (#​6571) (3925b0c), closes #​6570

v3.36.0: Swagger UI v3.36.0 Released!

Compare Source

Features

• support for showExtensions on Response objects (#​6535) (6a4e52a)

Bug Fixes

• auth: Allow PKCE for legacy AccessCode OAuth2 Grant Type (#​6011) (5a87c8a), closes #​6010
• auth: support for oauth2 relative url (#​6546) (0a807d6)
• auth: add additional autoFocus for http-auth component (#​6527) (8e3e059), closes #​6483
• response examples should respect media-type (#​6456) (87ab4e9)
• duplicate downloading of remote config (#​6544) (50e5f65)
• oauth redirect HTML title tag (#​6533) (17f140b)

v3.35.2: Swagger UI v3.35.2 Released!

Compare Source

Bug Fixes

• oas3: switching media types should update schema properties (#​6518) (3905fad), closes #​6201 #​6250 #​6476

• requestBody: hide read only properties (#​6490) (5065613)

• missing commas in response header values #​6183 (#​6515) (99fda81)

• add autofocus to auth fields (#​6483) (65ea764)

• style: preventing long strings from overflowing (#​5934) (#​6507) (4b2fddd)

• jest: add stub for errActions to prevent unhandled promise rejections #​6365 (#​6495) (537ad6d)

• jest: unknown prop initialValue on input tag (#​6506) (1af8678)

v3.35.1: Swagger UI v3.35.1 Released!

Compare Source

Bug Fixes

• parameter-row: rendering of default/example values of 0 (#​6454) (797929f)

• syntax-highlighter: configuration for Examples (#​6455) (b5e8081), closes #​5259

• examples multipart array sample generation for items (#​6461) (f4bdf2f)

• filter: avoid filtering by the strings "true/false" when enabled (#​6477) (aa53ec2)

• style: inconsistent background colors in code sections (#​6472) (1b11d5c)

• deprecate from "new Buffer" to "Buffer.from" (#​6489) (6c5e91d)

v3.35.0: Swagger UI v3.35.0 Released!

Compare Source

Bug Fixes

• auth: both array and Im.List scopes can be added to redirectURL (#​6416) (95fd3e7)
• swagger-ui-react: Use oneOfType in spec prop validation (fix #​6399) (#​6400) (52360a0)
• sample schema should stringify string values for content-type: text/json (#​6431) (ad630cc), closes #​6412
• try-it-out: required boolean default value set to empty string (#​6449) (f5c709f), closes #​6429

Features

• curl: configuration setting to pass additional options to curl command for "Try it out" (#​6288) (cbe99c8)
• swagger-ui-react: add deeplinking as prop (#​6424) (6b12f15)

v3.34.0: Swagger UI v3.34.0 Released!

Compare Source

Features

• Preserve authorization on browser refresh and close/reopen (#​5939) (96aecc8)
• build: use core-js@3 (#​6410) (ac41813)

Refactor

• build: increase maxEntrypointSize for core-js@3 (#​6419)
• csp: Update how the JavaScript run function is invoked in oauth2-redirect.html (#​6393)

v3.33.0: Swagger UI v3.33.0 Released!

Compare Source

Bug Fixes

• curlify: for -d, handle Immutable vs non-Immutable cases (#​6349) (0c60696)
• curlify: replace all occurrences of $ (#​6354) (89d57fc)
• Add entrySeq() to bodyProperties.map() (#​6267) (0199b47)
• Allowing servers dropdown to change when oas3Actions.setSelectedServer is called (#​6358) (5123b47), closes #​6351
• Updating select to pass in a better prop; updating test to do a better check (#​6385) (6ad418d), closes #​6372
• models view when object key contains deprecated:true (#​6371) (d4eea4d), closes #​6369
• style: servers environment select (#​6367) ([7a63ba3](https://redirect.github.com/swagger-api/swagger-ui/commit/7a63ba30c3db548e7159c00a16

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

Branch Conflicts?

♻ To rebase this PR, add the label Run Renovate to this PR