Page MenuHomePhabricator
Create Task
Maniphest T325558

Application Security Review Request: Swagger UI
Closed, ResolvedPublic
Actions

Description

Project Information 

16:35 [(HEAD detached at v4.15.5)] ~/code/swagger-ui> scc src
───────────────────────────────────────────────────────────────────────────────
Language                 Files     Lines   Blanks  Comments     Code Complexity
───────────────────────────────────────────────────────────────────────────────
JSX                         97      9049     1221       211     7617        709
JavaScript                  78      6970      854       363     5753        774
Sass                        17      3060      669        28     2363          5
Markdown                     4       165       45         0      120          0
SVG                          2        61        3         0       58          0
───────────────────────────────────────────────────────────────────────────────
Total                      198     19305     2792       602    15911       1488
───────────────────────────────────────────────────────────────────────────────
Estimated Cost to Develop (organic) $493,602
Estimated Schedule Effort (organic) 10.52 months
Estimated People Required (organic) 4.17
───────────────────────────────────────────────────────────────────────────────
Processed 570413 bytes, 0.570 megabytes (SI)
───────────────────────────────────────────────────────────────────────────────

Description of the tool/project:
JavaScipt library that creates an interactive UI for exploring an OpenAPI specification, including constructing request against the respective API.

Description of how the tool will be used at WMF:
The plan is to create a special page that displayes the OpenAPI spec of any REST endpoints exposed by the wiki instance. The spec will be constructed automatically based on self-documentation abilities of the respective endpoints. This is similar to what Special:ApiSandbox does for the Action API.

See T323786: REST framework: Add support for outputting an OpenAPI (swagger) spec

Dependencies
Swagger UI will be served to clients as a single minfied bundle containing all dependencies, swagger-ui-bundle.js.
From https://github.com/swagger-api/swagger-ui/blob/v4.15.5/package.json:

"dependencies": {
  "@babel/runtime-corejs3": "^7.18.9",
  "@braintree/sanitize-url": "=6.0.0",
  "base64-js": "^1.5.1",
  "classnames": "^2.3.1",
  "css.escape": "1.5.1",
  "deep-extend": "0.6.0",
  "dompurify": "=2.3.10",
  "ieee754": "^1.2.1",
  "immutable": "^3.x.x",
  "js-file-download": "^0.4.12",
  "js-yaml": "=4.1.0",
  "lodash": "^4.17.21",
  "patch-package": "^6.5.0",
  "prop-types": "^15.8.1",
  "randexp": "^0.5.3",
  "randombytes": "^2.1.0",
  "react": "=17.0.2",
  "react-copy-to-clipboard": "5.1.0",
  "react-debounce-input": "=3.3.0",
  "react-dom": "=17.0.2",
  "react-immutable-proptypes": "2.2.0",
  "react-immutable-pure-component": "^2.2.0",
  "react-inspector": "^6.0.1",
  "react-redux": "^7.2.4",
  "react-syntax-highlighter": "^15.5.0",
  "redux": "^4.1.2",
  "redux-immutable": "^4.0.0",
  "remarkable": "^2.0.1",
  "reselect": "^4.1.5",
  "serialize-error": "^8.1.0",
  "sha.js": "^2.4.11",
  "swagger-client": "^3.18.5",
  "url-parse": "^1.5.8",
  "xml": "=1.0.1",
  "xml-but-prettier": "^1.0.1",
  "zenscroll": "^4.0.2"
},

Has this project been reviewed before?
An earlier version of Swagger UI is already exposed on WMF sites under https://en.wikipedia.org/api/rest_v1/. This path is proxied from RESTbase, which exposes this UI. If we had the new version in MediaWiki, we would use that to visualize the spec exposed by RESTbase. We wouldn't need to have two versions in production.

Working test environment
On a MediaWiki installation, apply https://gerrit.wikimedia.org/r/c/mediawiki/core/+/863987 and visit Special:REST.

Post-deployment
Integration of Swagger UI with MediaWiki will be maintained by Platform Engineering (API Platform)

Details

Risk Rating
Low

Related Objects
Search...

Event Timeline

daniel created this task.Dec 19 2022, 3:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 19 2022, 3:53 PM
daniel updated the task description. (Show Details)Dec 19 2022, 3:54 PM
sbassett moved this task from Incoming to Back Orders on the secscrum board.Dec 19 2022, 5:26 PM
sbassett moved this task from Back Orders to Upcoming Quarter Planning Queue on the secscrum board.Jan 4 2023, 5:14 PM
sbassett changed the task status from Open to In Progress.Jan 4 2023, 5:22 PM
sbassett assigned this task to Mstyles.
sbassett triaged this task as Medium priority.
sbassett moved this task from Upcoming Quarter Planning Queue to In Progress on the secscrum board.
daniel added a comment.Jan 5 2023, 8:34 PM

I realize that this has a lot of dependencies, and pulls in the react framework. I have been trying to find an alternative that is based on Vue.js, since that is what we are using anyway. The best I could find is https://github.com/koumoul-dev/vue-openapi, which seems fairly lightweight. I haven't tired it, though. And while it doesn't seem completely dead, it doesn't have a lot of activity or contributors either.

daniel updated the task description. (Show Details)Jan 5 2023, 8:35 PM
daniel updated the task description. (Show Details)
daniel added a parent task: T323786: REST framework: Add support for outputting an OpenAPI (swagger) spec .Jan 17 2023, 10:45 AM
daniel added a comment.Mar 6 2023, 4:44 PM

Toolhub uses https://rapidocweb.com/, which seems to be quite lightweight:

"dependencies": {
  "@apitools/openapi-parser": "0.0.30",
  "base64-arraybuffer": "^1.0.2",
  "buffer": "^6.0.3",
  "lit": "^2.6.1",
  "marked": "^4.2.12",
  "prismjs": "^1.29.0",
  "xml-but-prettier": "^1.0.1"
},
Mstyles added a comment.Mar 22 2023, 4:23 PM

Just wanted to update that the review will be posted by the end of next week (March 31) at the latest. And as far as https://github.com/koumoul-dev/vue-openapi goes, while it has less dependencies, the lack of activity/contributors puts it on board with swagger-ui. We would prefer an actively maintained project with more eyes on it. I'll take a look at https://rapidocweb.com/ as well, thanks for posting!

daniel added a comment.Mar 29 2023, 11:52 AM

Re rapiddocweb: while it seems to be actively maintained, it looks like a one-person project: https://github.com/rapi-doc/RapiDoc/graphs/contributors

Mstyles added a comment.EditedApr 1 2023, 12:55 AM

Security Review Summary - T325558 - 2023-03-31

Overall, the current vendor code under consideration has an overall risk rating of: medium.

The swagger-ui project has a healthy amount of maintainers along with several bots that keep dependencies updated and cut releases on a regular schedule. They also have a clear policy for reporting security issues. They have a current open security issue that is mitigated as long as we use version 4.1.3 swagger-ui or above. Along with that, there's also a security policy that could be more detailed, but is a start in terms of a security policy. There are some minor vulnerabilities in the project, but since they are current with the releases and transparent with any security issues that do occur. However, the presence of webpack is considered a lower quality dependency by the application security team and therefore this project will receive a medium rating.

The scorecard rating of 5.8/10 is lower that desired, however several of the scorecard issues are listed in the vulnerabilities below and the others are not high priority. The same goes for semgrep which found overlapping issues with the listed vulnerabilities. Both reports can be attached for completeness if desired.

The other projects mentioned such as https://github.com/koumoul-dev/vue-openapi and https://github.com/rapi-doc/RapiDoc/graphs/contributors are possible contenders but those issues have been mentioned. If the team decides they want to move forward with either, we can add a request to the application security reviews to take a more in depth at those projects.

Swagger UI

General Security Information

Statistic/InfoValueRisk
Repository none
Relevant tag/branchmaster none
Last commit reviewed (if relevant)a88f02b none
Recent contributions to code (6 months)>50 low
Active developers with > 10 commits18 low
Current overall usage23.5k stars, 8.6k forks low
Current open security issues1 medium

Vulnerable Packages

VulnerabilityPackageNotesServiceRemediationRisk
Regular Expression Denial of Service (ReDoS)ansi-regex@2.1.1https://security.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908snykThis issue was fixed in versions: 3.0.1, 4.1.1, 5.0.1, 6.0.1 high
Regular Expression Denial of Service (ReDoS)minimatchhttps://github.com/advisories/GHSA-f8q6-p94x-37v3npm auditnpm audit fix --force causes a breaking change high
Cross-realm object access in Webpack 5webpackhttps://github.com/advisories/GHSA-hc6q-2mpp-qw7jnpm auditnpm audit fix high
Code Injectionoauth2-serverhttps://github.com/advisories/GHSA-2fw4-mgq9-39cxnpm auditno fix available high
Exposure of Sensitive Information to an Unauthorized Actornanoidhttps://github.com/advisories/GHSA-qrpm-p2h7-hrv2npm auditnpm audit fix --force causes a breaking change medium

Outdated Packages
As reported via npm outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

PackageCurrentWantedLatest
PackageCurrentWantedLatest
@babel/core7.21.07.21.07.21.3
@babel/eslint-parser7.19.17.19.17.21.3
@babel/plugin-proposal-class-properties7.16.77.16.77.18.6
@babel/plugin-proposal-object-rest-spread7.19.47.19.47.20.7
@babel/plugin-proposal-optional-chaining7.18.97.18.97.21.0
@babel/plugin-transform-modules-commonjs7.16.87.16.87.21.2
@babel/plugin-transform-runtime7.18.97.18.97.21.0
@babel/preset-react7.14.57.14.57.18.6
@babel/register7.17.07.17.07.21.0
@commitlint/cli17.4.417.5.117.5.1
@jest/globals29.4.329.4.329.5.0
@release-it/conventional-changelog5.1.05.1.05.1.1
@wojtekmaj/enzyme-adapter-react-170.6.60.6.60.8.0
autoprefixer10.4.1310.4.1410.4.14
babel-loader8.3.08.3.09.1.2
css-loader6.7.16.7.16.7.3
cssnano5.1.155.1.156.0.0
cypress9.5.19.5.112.9.0
deepmerge4.3.04.3.14.3.1
dompurify2.3.102.3.103.0.1
eslint8.34.08.37.08.37.0
eslint-plugin-jest26.9.026.1.227.2.1
eslint-plugin-mocha9.0.09.0.010.1.0
expect28.1.328.1.329.5.0
husky7.0.47.0.48.0.3
immutable3.8.23.8.24.3.0
jest29.4.329.4.329.5.0
jest-environment-jsdom29.4.329.4.329.5.0
jsdom21.1.021.1.021.1.1
json-server0.17.20.17.20.17.3
lint-staged13.1.213.1.213.2.0
local-web-server4.2.14.2.15.3.0
mini-css-extract-plugin2.7.22.7.52.7.5
mocha8.4.08.4.010.2.0

Static Analysis Findings

  1. lockfile-lint no issues detected low risk
  2. gitleaks returned no results. low risk
  3. scan scan:latest returned no results, outside of the previously-mentioned vulnerable packages. low risk
  4. semgrep 0.120.0 was run with 983 rules on 304 files: 19 findings low risk
  5. scorecard returned an aggregate score of 5.8 / 10 medium, see results here
Mstyles moved this task from In Progress to Our Part Is Done on the secscrum board.Apr 1 2023, 12:56 AM
daniel added a comment.Apr 3 2023, 7:37 AM

@Mstyles Thank you for the detailed analysis!

Can you halp me assess the concrete risk posed by the "high" issues? The following questions come to mind looking at your analysis:

  • Would yopu agree that the ReDoS vulerabilities are not an issue because all the code is run client side?
  • Am I correct in assuming that mitigation by "npm audit fix" means we can't use the minified bundle?
  • If I understand correctly, oauth-server is used when swaggerui is configured to allow authenticated requests to the API. Would you agree that the risk is mitigated by not enabling that feature?
Mstyles added a comment.Apr 5 2023, 6:31 PM
In T325558#8749341, @daniel wrote:

@Mstyles Thank you for the detailed analysis!

Can you halp me assess the concrete risk posed by the "high" issues? The following questions come to mind looking at your analysis:

  • Would yopu agree that the ReDoS vulerabilities are not an issue because all the code is run client side?

The risk is minimized, but still present as attackers can find ways to exploit vulnerable code.

  • Am I correct in assuming that mitigation by "npm audit fix" means we can't use the minified bundle?

You can still use the minified bundle. The npm audit fix is how the swagger-ui project maintainers would fix the issue. We can't guarantee that they will update the versions in a timely manner. That's a part of the risk that needs to be accepted by a manager/director and entered in the risk registry.

If we're not using the oauth-server and it's possible to disable it, then I think we should definitely do that. The risk of this project still remains at medium though mainly due to the webpack dependency.

Bawolff subscribed.Apr 5 2023, 8:00 PM

The webpack vulnerability is pretty silly. It is basically - if an attacker can modify your source code, then they can run arbitrary code.

One presumes that the platform team does not intend to allow malicious people to have commit access, and that if a malicious person was able to deploy code they would have much juicier things to target.

sbassett subscribed.Apr 6 2023, 9:23 PM
In T325558#8760631, @Bawolff wrote:

The webpack vulnerability is pretty silly. It is basically - if an attacker can modify your source code, then they can run arbitrary code.

One presumes that the platform team does not intend to allow malicious people to have commit access, and that if a malicious person was able to deploy code they would have much juicier things to target.

If I'm reading the vuln description correctly, this part:

"An attacker who controls a property of an untrusted object can obtain access to the real global object."

would imply simpler object injection style attacks via JS' object array access. I'd agree that this is likely difficult to exploit in the wild, unless there are some extremely terrible code patterns in place, but it's a simpler attack than other varieties of code injection/RCE.

Mstyles added a subscriber: MNadrofsky.Apr 12 2023, 3:10 AM

@MNadrofsky you have been entered into the risk register as the owner of medium risk for this project. Please let us know if you have any questions.

Mstyles closed this task as Resolved.Apr 17 2023, 8:45 PM

closing this as the review has been posted and the risk has been updated. Feel free to reopen if there are any more questions!

daniel added a comment.Apr 18 2023, 8:24 AM

Thank you!

DannyS712 updated the task description. (Show Details)Apr 14 2024, 1:54 PM
daniel mentioned this in T365753: REST: expose a machine readable directory of available API modules.May 23 2024, 7:07 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL