swagger-ui vulnerabilities

[jeemok]

API Explorer for LoopBack 3 is built on top of swagger-ui version 2.x which is no longer maintained. While there are known security vulnerabilities in swagger-ui, we believe they don't affect LoopBack users. See A note on swagger-ui vulnerabilities in README for more details.

We would love to upgrade our (LB3) API Explorer to v3 of swagger-ui, but unfortunately such upgrade requires too much effort and more importantly addition of new features to LB3 runtime, which would break our LTS guarantees.

We are keeping this issue open to keep the discussion in a single place.

Original issue description is below the line.

---

It may be too much of an effort to upgrade to v3 of swagger-ui as concluded in this issue #254

There are two new vulnerabilities reported today, I'm using the following dependencies:

    "loopback": "^3.26.0",
    "loopback-boot": "^2.28.0",
    "loopback-component-explorer": "^6.4.0",
    "loopback-component-storage": "^3.6.1",
    "loopback-connector-mongodb": "^4.2.0",
    "loopback-connector-rest": "^3.4.1",
    "loopback-connector-soap": "^5.0.0",

and it is giving me vulnerabilities warning when I run npm audit:

---

Moderate Reverse Tabnapping

Package swagger-ui

Patched in >=3.18.0

Dependency of loopback-component-explorer

Path loopback-component-explorer > swagger-ui

More info https://nodesecurity.io/advisories/975

---

Moderate Cross-Site Scripting

Package swagger-ui

Patched in >=3.20.9

Dependency of loopback-component-explorer

Path loopback-component-explorer > swagger-ui

More info https://nodesecurity.io/advisories/976

---

Will this be fixed? or do probably ignore them (could use a library to do that) for now?

[cs-akash-jarad]

strongloop/loopback-cli#90

[dhmlau]

@bajtos, since you're looking in this, I'm assigning this issue to you. Thanks.

[bajtos]

As far as I understand these vulnerabilities, they apply only when the attacker can force the swagger-ui instance to load swagger spec created by the attacker. This is not the case with loopback-component-explorer, where we always use the swagger-spec of the application serving swagger-ui. Therefore I believe the vulnerabilities are not applicable to LoopBack.

As for Moderate Reverse Tabnapping, I opened a pull request to back-port the fix to swagger-ui version 2, see swagger-api/swagger-ui#5419

Regarding Moderate Cross-Site Scripting: I did a quick search through swagger-ui 2.x codebase and found this place that may need a fix: https://github.com/swagger-api/swagger-ui/blob/c7439c79137e1e42dc67998f97d710996ca42ce6/src/main/javascript/view/AuthView.js#L125

[shockey]

@bajtos, you're correct -- these vulnerabilities are not relevant if you trust the OpenAPI document that is being provided to Swagger UI, and any webpages that the document links to.

[mgleland]

given that swagger won't take your PR, what can people do to get around this?

[jeemok]

@mgleland there are two ways I can think of for handling this now

• Since this vulnerability isn't relevant as discussed, we can filter it off by: npm audit --audit-level high. However, it might also filter other vulnerabilities lower than level high
• Or install a package to specifically ignore a vulnerability, eg: node node_modules/better-npm-audit audit -i 975 using better-npm-audit

[bajtos]

Alternatively, you can create your own fork of swagger-ui and tell the explorer to use your copy instead of the built-in one. See the uiDirs option in https://github.com/strongloop/loopback-component-explorer#options.

[bajtos]

https://www.npmjs.com/advisories/985

Versions of swagger-ui prior to 3.0.13 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize YAML files imported from URLs or copied-pasted. This may allow attackers to execute arbitrary JavaScript.

LoopBack's API Explorer does not allow clients to import swagger spec from YAML URL/pasted-content. I believe that means loopback-component-explorer IS NOT AFFECTED by this vulnerability.

[fuyili]

any plan to address 975 and 976? swagger-api/swagger-ui#5419 doesn't seem to be merged.

[bajtos]

@fuyili I would love to find a way how to remove npm audit warnings when installing dependencies in LoopBack projects, unfortunately I don't see any easy solution :(

First of all, based on our understanding, 975 and 976 are not affecting users of this component. Ideally, either we or the app developers like you should have a tool to tell npm audit to suppress warnings about security vulnerabilities that are not exploitable in this specific settings. nsp, the original adit tool from Node Security Project, used to support that feature via a configuration file. Unfortunately, npm does not - see the discussion in their forum here: https://npm.community/t/please-provide-option-to-ignore-packages-in-npm-audit/403

If you are using API Explorer in development only, and loopback-component-explorer is listed in devDependencies of your project, then in an ideal world, you would be able to tell npm to limit the security audit to production dependencies only. Unfortunately, that option is not available either, see https://npm.community/t/please-support-production-or-only-production-in-npm-audit/3005

The lack of maturity of npm audit is appalling :(

So what other options do we have?

It would be nice to upgrade our API Explorer to v3 of swagger-ui, unfortunately that involves too much effort and requires addition of new features to LB3 runtime, which would break our LTS guarantees. See #209. (Additionally, upgrade to v3 of swagger-ui would require a new semver-major version of loopback-component-explorer too.)

I suppose we could fork swagger-ui and start maintaining our own 2.x version. It would mean investing our effort into work that fixes something that's not broken, which is not a great proposition to me. Additionally, by moving from the official swagger-ui module to our own fork, we will stop receiving further reports about security vulnerabilities that may be discovered in the future.

I understand how bad the situation is for LoopBack users, unfortunately I don't see any reasonable solutions how to address the problem :(

Suggestions are welcome!

[ivandov]

Personally, I don't think the approach should be to fork your own version of swagger-ui, the extra support needed there would not be a good model to follow.

Given how downlevel the swagger-ui dependency is in loopback-component-explorer, I would vote for a dependency update to the latest version of swagger-ui.