Swagger-ui: Swagger editor v3 description key has a XSS vulnerability

_From @attritionorg on June 1, 2017 2:45_

Looks like http://seclists.org/bugtraq/2016/May/15 on first glance, which was apparently fixed in the past.

Thanks for reporting. This is an issue with swagger-ui. Moving there for further treatment.

@webron Thank you for putting this in the proper place.

We're sanitizing our Markdown now - this should be fixed. Thanks for raising the issue @amrtgaber!

@webron, can you confirm if this is the same issue I linked or different?

@shockey Hey I might be testing this incorrectly but I still see the issue.

I just cloned the Swagger Editor master branch and did an npm install. It installed swagger-ui version 3.0.12 which I believe has this fix merged. Then I used the running locally instructions to get the editor loaded in the browser. To test, I pasted the sample YAML file from above. I still got the alert which makes me concerned that the vulnerability still exists. Is there something I'm missing? Sorry for any inconvenience.

@amrtgaber, thanks for checking. Swagger-UI 3.0.12 does _not_ have the fix, it was released last Friday 😄

I'll be doing releases of all the projects this evening, which will contain the fix (presumably, this version will be 3.0.13).

If you want to confirm the fix before the release, you can use npm to install the latest master branch as a module: just change your swagger-ui dependency to "swagger-ui": "github:swagger-api/swagger-ui#master" and run npm install again.

It looks fixed from my end, but I'd really appreciate it if you'd double-check it.

Sorry for jumping the gun too early on testing it!

I made the package.json change to update the swagger-ui dependency and ran npm install again then npm start. I cleared my cache and cookies then pasted the YAML file in. Unfortunately, I still see the alert. :slightly_frowning_face:

Here's the relevant line from npm install:
[email protected] (git://github.com/swagger-api/swagger-ui.git#ea660553294c7288ebdf5aa9e29103927d870a20)

Let me know if I'm just doing this all wrong or if there's anything I can do to help.

@amrtgaber huh, I was just about to ping you. Thanks for retesting. We'll see what @shockey has to say ;)

@attritionorg I cannot confirm if it's the same issue or not. This is a completely different code base than the referenced vesion.

@amrtgaber, looks like I may need to update the "running locally" docs, since they appear to have misled you. my apologies!

npm start serves the dist folder on an HTTP server. if you want to rebuild the dist folder, you'll need to run npm run build and then run npm start again.

alternatively, you can run npm run dev to get a hot-reloading dev server that does not require manual rebuilds.

i added a task for myself to rewrite that part of the readme, as it clearly sent you down the wrong path!

as for the XSS vulnerability - we deployed petstore.swagger.io this afternoon, and it appears to be fixed. i put your proof of concept into a gist here: https://gist.github.com/shockey/c67fe0a0fdd213af132360bc5b3a0b07, you can grab the raw url and load it into swagger-ui to confirm. make sure to force-refresh.

please request a reopen if you still see it happening after all that, and thank you for diligence in making sure this is fixed!

@shockey No worries I should've scrutinized the build process more, that makes perfect sense!

I did npm run build and restarted my local server and BAM! no alert! :tada:

Thanks! You did an excellent job and thank you for walking me through the testing. Sorry I kept missing the mark, I wasn't trying to make your job any harder. :smile:

Great work and excellent response time!

Thanks for bringing up the issue, @amrtgaber. We look forward to future contributions.