Back-port "fix: anchor tag safety" to 2.x#5419
Conversation
Setting target="_blank" on anchor tags is unsafe unless used in conjunction with rel="noopener". This is a back-port of dd3afdc (swagger-api#4789) to fix the problem in version 2.x. Signed-off-by: Miroslav Bajtoš <mbajtoss@gmail.com>
b69dd5c to
f104586
Compare
b-admike
left a comment
There was a problem hiding this comment.
I am not familiar with this codebase, but upon reading https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/, LGTM 👍
|
@bajtos, just acknowledging that I've seen this -- I've kicked off an internal discussion. |
This comment has been minimized.
This comment has been minimized.
|
we've decided to pass on this PR, along with any other requests for updates to the last version of the effort required to confidently push a security-related fix for a codebase that:
..outweighs the benefit of pushing out a fix. for your part @bajtos, I understand the predicament you're in -- I see that LoopBack has a legacy/LTS version that is pretty well stuck with since there's no easy out for you until your current version goes to EOL, feel free to fork our 2.x branch and create a forked module that includes these changes. I've had to do this with some of Swagger UI's dependencies for various reasons. lastly, thanks for the PR. I do want to merge it, but I don't think it's the right thing to do given that it opens a Pandora's box of expectations for 2.x security updates going forward. |
|
@shockey thank you for a detailed explanation, I appreciate you took the time to discuss this matter in depth and write down your reasoning. I understand your situation. The decision you made makes sense, even if the consequences are not convenient to me :) |
Setting target="_blank" on anchor tags is unsafe unless used in conjunction with rel="noopener".
This is a back-port of dd3afdc (#4789) to fix the problem in version 2.x.
@shockey @JonathanParrilla PTAL
Description
I ran
grep -r target src/main/templateto find all places where we are creating links to external URLs and then fixed these places by addingrel="noopener noreferrer"attribute.Motivation and Context
In LoopBack, we are depending on swagger-ui version 2.x (see https://github.com/strongloop/loopback-component-explorer). We tried to upgrade to 3.x, but found that such upgrade requires too much effort, and thus decided to stick with 2.x.
Now we are seeing a security vulnerability reported for our module. I believe we are not affected by the vulnerability, because the possibly-malicious URLs are fully under control of the person running swagger-ui, but it still look bad that security checkers are reporting a vulnerability.
Can we back-port the fix from 3.x to 2.x please?
How Has This Been Tested?
I tried to run
npm test, unfortunately it failed with a cryptic error:I also try to run
mochadirectly, unfortunately that failed too in the testshould have "Swagger UI" in titlewith no diagnostic messages :(Could you please advise how can/should I test this change?
Screenshots (if appropriate):
n/a
Checklist
My PR contains...
src/is unmodified: changes to documentation, CI, metadata, etc.)package.json)My changes...
Documentation
Automated tests