Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Private IP of build machine is being exposed! #7446

Closed
Tracked by #7341
pedrolamas opened this issue Aug 2, 2021 · 3 comments
Closed
Tracked by #7341

Private IP of build machine is being exposed! #7446

pedrolamas opened this issue Aug 2, 2021 · 3 comments
Assignees
@char0n
Labels
cat: security version: 4.x

Comments

@pedrolamas
Copy link

Q&A (please complete the following information)

  • OS: Windows
  • Browser: edge
  • Version: 93
  • Method of installation: NuGet (.NET)
  • Swagger-UI version: (latest)
  • Swagger/OpenAPI version: (latest?)

Describe the bug you're encountering

We are using OWASP Zed Attack Proxy (ZAP) scan in our builds, and we just noticed a warning from "swagger-ui-bundle.js", specifically that it is exposing a Private IP.

When we looked, it was the build machine IP that was on the file, I believe caused by this line.

Expected behavior

No private information should be output. Personally, I can't think of any reason for the build machine name/ip to be part of the output bundle!

Additional context or thoughts
@char0n char0n self-assigned this Aug 24, 2021
@char0n
Copy link
Member

char0n commented Aug 24, 2021
edited

Hi @pedrolamas,

Thanks for pointing this out!

The addition of HOSTNAME in definition plugins comes from this commit: b7bbead#diff-1ebec643c7cac50a42cb61%5B%E2%80%A6%5D389ad60f5ed0991fc3f10edf736a

It is associated with this ticket: #1334

I've investigated and we don't use it nor need it AFAICT

I've included handling this in v4 release: #7341

@char0n char0n mentioned this issue Aug 24, 2021
Closed
23 tasks
char0n added a commit that referenced this issue Sep 10, 2021
@char0n
fix(build-security): do not expose hostname to build framents
4ec6444 
Refs #7446
@char0n char0n mentioned this issue Sep 10, 2021
Merged
17 tasks
char0n added a commit that referenced this issue Sep 10, 2021
@char0n
fix(build-security): do not expose hostname to build framents (#7491)
fdef4ea 
Refs #7446
@char0n
Copy link
Member

char0n commented Sep 10, 2021

Released in https://github.com/swagger-api/swagger-ui/releases/tag/v4.0.0-rc.0

@char0n
Copy link
Member

char0n commented Sep 10, 2021

Released in https://github.com/swagger-api/swagger-ui/releases/tag/v3.52.1

@char0n char0n closed this as completed Sep 10, 2021
pedrolamas added a commit to pedrolamas/Swashbuckle.AspNetCore that referenced this issue Sep 10, 2021
@pedrolamas
Update swagger-ui-dist to 3.52.1
ca383e4 
This will fix a security issue reported here: swagger-api/swagger-ui#7446
@pedrolamas pedrolamas mentioned this issue Sep 10, 2021
Merged
brendasmith8 pushed a commit to brendasmith8/Swash-buckle-AspNetCore-repository that referenced this issue Sep 22, 2022
Update swagger-ui-dist to 3.52.1
c91553e 
This will fix a security issue reported here: swagger-api/swagger-ui#7446
onlinedev0808 added a commit to onlinedev0808/Swashbuckle.AspNetCore that referenced this issue Jun 2, 2023
@onlinedev0808
Update swagger-ui-dist to 3.52.1
12fa629 
This will fix a security issue reported here: swagger-api/swagger-ui#7446
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@char0n char0n

Labels
cat: security version: 4.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pedrolamas @char0n @runkalicious