Search code examples
node.jsswaggernestjsswagger-uinestjs-swagger

@nestjs/swagger: Is it possible to prevent phishing?

I'm using @nestjs/swagger in the Nest.js application to generate Swagger documentation.

In the documentation we have a simple example like

      const config = new DocumentBuilder()
        .setTitle('Cats example')
        .setDescription('The cats API description')
        .setVersion('1.0')
        .addTag('cats')
        .build();
      const document = SwaggerModule.createDocument(app, config);
      SwaggerModule.setup('api', app, document);

With this implementation, I faced the security issue, which can expose attackers to phishing. For example, we have a swagger page

https://petstore.swagger.io/

Attackers can add a query parameter in URL like

https://petstore.swagger.io/?url=https://27.rs/card.yaml#/default/get_

That can lead to security issues. Is there any way to prevent it? Can we disable the query parameters for the Swagger URL, or clean it? To convert

https://petstore.swagger.io/?url=https://27.rs/card.yaml#/default/get_ => https://petstore.swagger.io/

As a 4-th parameter SwaaggerModule.setup function can receive options. I have tried to do something with them but still no result. Here are possible parameters

export interface SwaggerCustomOptions {
  explorer?: boolean;
  swaggerOptions?: Record<string, any>;
  customCss?: string;
  customCssUrl?: string;
  customJs?: string;
  customfavIcon?: string;
  swaggerUrl?: string;
  customSiteTitle?: string;
  validatorUrl?: string;
  url?: string;
  urls?: Record<'url' | 'name', string>[];
}

I can see also the open issue in GitHub regarding this question. There are mentioned about the usage of window.history.replaceState(null, "", window.location.pathname);. How it can be used in @nestjs/swagger?

Solution

  • I didn't found any solution in @nestjs/swagger and I can see the open issue in GitHub

    https://github.com/swagger-api/swagger-ui/issues/4332#issuecomment-867574178

    As a temporary solution, I have added the following part of the code to handle the requests before rendering the Swagger document.

       app.use(swaggerPath, (req: Request, res: Response, next: NextFunction) => {
      // A temporary solution to prevent security issues with query params
      // Can be removed when into the swagger module will be added ability to turn off query parameters of URL
      if (Object.keys(req.query).length) {
        res.redirect(swaggerPath);
      } else {
        next();
      }
    });

    Where swaggerPath is something like /api/doc, or your swagger path.