fix: xss vulnerability in embed swagger-ui (#10593)

Solution: - update to recent version: v4.1.0  ## Description ### How to reproduce Open following URL, click the `Authorize` button, click the `Authorize` button in the login window, there'll be an alert that shows a successful XSS attack: ``` http://localhost:26654/swagger/?url=https://raw.githubusercontent.com/semsem123s/semsem-template/main/xss1.yaml ```  --- ### Author Checklist *All items are required. Please add a note to the item if the item is not applicable and please add links to any relevant follow up issues.* I have... - [ ] included the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] added `!` to the type prefix if API or client breaking change - [ ] targeted the correct branch (see [PR Targeting](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#pr-targeting)) - [ ] provided a link to the relevant issue or specification - [ ] followed the guidelines for [building modules](https://github.com/cosmos/cosmos-sdk/blob/master/docs/building-modules) - [ ] included the necessary unit and integration [tests](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#testing) - [ ] added a changelog entry to `CHANGELOG.md` - [ ] included comments for [documenting Go code](https://blog.golang.org/godoc) - [ ] updated the relevant documentation or specification - [ ] reviewed "Files changed" and left comments if necessary - [ ] confirmed all CI checks have passed ### Reviewers Checklist *All items are required. Please add a note if the item is not applicable and please add your handle next to the items reviewed if you only reviewed selected items.* I have... - [ ] confirmed the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] confirmed `!` in the type prefix if API or client breaking change - [ ] confirmed all author checklist items have been addressed - [ ] reviewed state machine logic - [ ] reviewed API design and naming - [ ] reviewed documentation is accurate - [ ] reviewed tests and test coverage - [ ] manually tested (if applicable)
2021-12-01 16:29:43 +08:00 · 2021-12-01 16:29:43 +08:00 · 236146396e
commit 236146396e
parent cf6ace5a1c
18 changed files with 58 additions and 54974 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -163,6 +163,7 @@ Ref: https://keepachangelog.com/en/1.0.0/
 * [\#10466](https://github.com/cosmos/cosmos-sdk/issues/10466) Fixes error with simulation tests when genesis start time is randomly created after the year 2262
 * [\#10394](https://github.com/cosmos/cosmos-sdk/issues/10394) Fixes issue related to grpc-gateway of account balance by
  ibc-denom.
+* [#10593](https://github.com/cosmos/cosmos-sdk/pull/10593) Update swagger-ui to v4.1.0 to fix xss vulnerability.

 ### State Machine Breaking

--- a/client/docs/statik/statik.go
+++ b/client/docs/statik/statik.go
--- a/client/docs/swagger-ui/favicon-16x16.png
+++ b/client/docs/swagger-ui/favicon-16x16.png
--- a/client/docs/swagger-ui/favicon-32x32.png
+++ b/client/docs/swagger-ui/favicon-32x32.png
--- a/client/docs/swagger-ui/index.html
+++ b/client/docs/swagger-ui/index.html
@ -4,9 +4,9 @@
  <head>
    <meta charset="UTF-8">
    <title>Swagger UI</title>
-    <link rel="stylesheet" type="text/css" href="swagger-ui.css" >
-    <link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
-    <link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
+    <link rel="stylesheet" type="text/css" href="./swagger-ui.css" />
+    <link rel="icon" type="image/png" href="./favicon-32x32.png" sizes="32x32" />
+    <link rel="icon" type="image/png" href="./favicon-16x16.png" sizes="16x16" />
    <style>
      html
      {
@ -33,12 +33,11 @@
  <body>
    <div id="swagger-ui"></div>

-    <script src="swagger-ui-bundle.js"> </script>
-    <script src="swagger-ui-standalone-preset.js"> </script>
+    <script src="./swagger-ui-bundle.js" charset="UTF-8"> </script>
+    <script src="./swagger-ui-standalone-preset.js" charset="UTF-8"> </script>
    <script>
    window.onload = function() {
-
-      // Build a system
+      // Begin Swagger UI call region
      const ui = SwaggerUIBundle({
        url: "./swagger.yaml",
        dom_id: '#swagger-ui',
@ -51,10 +50,11 @@
          SwaggerUIBundle.plugins.DownloadUrl
        ],
        layout: "StandaloneLayout"
-      })
+      });
+      // End Swagger UI call region

-      window.ui = ui
-    }
+      window.ui = ui;
+    };
  </script>
  </body>
 </html>
--- a/client/docs/swagger-ui/oauth2-redirect.html
+++ b/client/docs/swagger-ui/oauth2-redirect.html
@ -1,8 +1,9 @@
 <!doctype html>
 <html lang="en-US">
-<body onload="run()">
-</body>
-</html>
+<head>
+    <title>Swagger UI: OAuth2 Redirect</title>
+</head>
+<body>
 <script>
    'use strict';
    function run () {
@ -17,19 +18,20 @@
            qp = location.search.substring(1);
        }

-        arr = qp.split("&")
-        arr.forEach(function (v,i,_arr) { _arr[i] = '"' + v.replace('=', '":"') + '"';})
+        arr = qp.split("&");
+        arr.forEach(function (v,i,_arr) { _arr[i] = '"' + v.replace('=', '":"') + '"';});
        qp = qp ? JSON.parse('{' + arr.join() + '}',
                function (key, value) {
-                    return key === "" ? value : decodeURIComponent(value)
+                    return key === "" ? value : decodeURIComponent(value);
                }
-        ) : {}
+        ) : {};

-        isValid = qp.state === sentState
+        isValid = qp.state === sentState;

        if ((
-          oauth2.auth.schema.get("flow") === "accessCode"||
-          oauth2.auth.schema.get("flow") === "authorizationCode"
+          oauth2.auth.schema.get("flow") === "accessCode" ||
+          oauth2.auth.schema.get("flow") === "authorizationCode" ||
+          oauth2.auth.schema.get("flow") === "authorization_code"
        ) && !oauth2.auth.code) {
            if (!isValid) {
                oauth2.errCb({
@ -45,7 +47,7 @@
                oauth2.auth.code = qp.code;
                oauth2.callback({auth: oauth2.auth, redirectUrl: redirectUrl});
            } else {
-                let oauthErrorMsg
+                let oauthErrorMsg;
                if (qp.error) {
                    oauthErrorMsg = "["+qp.error+"]: " +
                        (qp.error_description ? qp.error_description+ ". " : "no accessCode received from the server. ") +
@ -64,4 +66,10 @@
        }
        window.close();
    }
+
+    window.addEventListener('DOMContentLoaded', function () {
+      run();
+    });
 </script>
+</body>
+</html>
--- a/client/docs/swagger-ui/swagger-ui-bundle.js
+++ b/client/docs/swagger-ui/swagger-ui-bundle.js
--- a/client/docs/swagger-ui/swagger-ui-bundle.js.map
+++ b/client/docs/swagger-ui/swagger-ui-bundle.js.map
--- a/client/docs/swagger-ui/swagger-ui-es-bundle-core.js
+++ b/client/docs/swagger-ui/swagger-ui-es-bundle-core.js
--- a/client/docs/swagger-ui/swagger-ui-es-bundle-core.js.map
+++ b/client/docs/swagger-ui/swagger-ui-es-bundle-core.js.map
--- a/client/docs/swagger-ui/swagger-ui-es-bundle.js
+++ b/client/docs/swagger-ui/swagger-ui-es-bundle.js
--- a/client/docs/swagger-ui/swagger-ui-es-bundle.js.map
+++ b/client/docs/swagger-ui/swagger-ui-es-bundle.js.map
--- a/client/docs/swagger-ui/swagger-ui-standalone-preset.js
+++ b/client/docs/swagger-ui/swagger-ui-standalone-preset.js
--- a/client/docs/swagger-ui/swagger-ui-standalone-preset.js.map
+++ b/client/docs/swagger-ui/swagger-ui-standalone-preset.js.map
--- a/client/docs/swagger-ui/swagger-ui.css
+++ b/client/docs/swagger-ui/swagger-ui.css
--- a/client/docs/swagger-ui/swagger-ui.css.map
+++ b/client/docs/swagger-ui/swagger-ui.css.map
--- a/client/docs/swagger-ui/swagger-ui.js
+++ b/client/docs/swagger-ui/swagger-ui.js
--- a/client/docs/swagger-ui/swagger-ui.js.map
+++ b/client/docs/swagger-ui/swagger-ui.js.map