A scanner tool we use is reporting a security concern. It monitored the response from GET /metadata within ServiceStack.Metadata.IndexOperationsControl.Render() and reported a response without validation or encoding. Specifically, complaining about the URL. Here is the snippet it is concerned about:
<h3>Plugin Links:</h3><ul><li><a href="https://mysitedomain/swagger-ui/">Swagger UI</a></li></ul> </div> <p> </p>
I might be generalizing too much. It looks like the issue is that ultimately, ServiceStack calls System.Web.UI.HtmlTextWriter.Write() instead of System.Web.UI.HtmlTextWriter.WriteEncodedText() for the plug in links here
var pluginLinks = metadata != null && metadata.PluginLinks.Count > 0
? new ListTemplate
{
Title = metadata.PluginLinksTitle,
ListItemsMap = ToAbsoluteUrls(metadata.PluginLinks),
ListItemTemplate = @"<li><a href=""{0}"">{1}</a></li>"
}.ToString()
: "";
Should the URL be encoded right here?
There is no security concern, the links on the metadata pages are defined by Plugins that are statically known at compile time, i.e. they never embed unknown user-defined links.