Browse Source

Refactor Swagger UI parameter handling in docs.py

A Cross-Site Scripting (XSS) vulnerability was identified in the `get_swagger_ui_html()` function, which generates the Swagger UI documentation page (`/docs`).
pull/14568/head
jeferson cardoso 7 months ago
committed by GitHub
parent
commit
5dd1cd435c
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
  1. 34
      fastapi/openapi/docs.py

34
fastapi/openapi/docs.py

@ -131,24 +131,36 @@ def get_swagger_ui_html(
const ui = SwaggerUIBundle({{ const ui = SwaggerUIBundle({{
url: '{openapi_url}', url: '{openapi_url}',
""" """
for key, value in current_swagger_ui_parameters.items(): for key, value in current_swagger_ui_parameters.items():
html += f"{json.dumps(key)}: {json.dumps(jsonable_encoder(value))},\n"
encoded_value = jsonable_encoder(value)
safe_value = json.dumps(encoded_value)
if isinstance(value, str) and safe_value.startswith('"') and safe_value.endswith('"'):
safe_value = safe_value[1:-1] # Remove aspas externas
html += f" {key}: {safe_value},\n"
if oauth2_redirect_url: if oauth2_redirect_url:
html += f"oauth2RedirectUrl: window.location.origin + '{oauth2_redirect_url}'," html += f"oauth2RedirectUrl: window.location.origin + '{oauth2_redirect_url}',\n"
html += """
presets: [ html += """ presets: [
SwaggerUIBundle.presets.apis, SwaggerUIBundle.presets.apis,
SwaggerUIBundle.SwaggerUIStandalonePreset SwaggerUIBundle.SwaggerUIStandalonePreset
], ],
})""" })
"""
if init_oauth: if init_oauth:
init_oauth_json = json.dumps(jsonable_encoder(init_oauth))
html += f""" html += f"""
ui.initOAuth({json.dumps(jsonable_encoder(init_oauth))}) ui.initOAuth({init_oauth_json})"""
"""
html += """ html += """
</script> </script>

Loading…
Cancel
Save