Support rendering OpenAPI and Swagger documents #25824
Conversation
GiteaBot
added
the
lgtm/need 2
|
No, the current approach is not right. We should load To achieve this, put the same dynamic import in both const [{default: SwaggerUI}] = await Promise.all([
import(/* webpackChunkName: "swagger-ui" */'swagger-ui-dist/swagger-ui-es-bundle.js'),
import(/* webpackChunkName: "swagger-ui" */'swagger-ui-dist/swagger-ui.css')
]);Having the exact same block will allow webpack to dedupe the chunks. Also, I'm pretty sure we want to contain swagger-ui's CSS into an |
silverwind
changed the title
|
Changed the title. This should support OpenAPI up to 3.1, and all Swagger versions. |
silverwind
changed the title
lunny
added
the
type/feature
lunny
changed the title
GiteaBot
added
lgtm/need 1
GiteaBot
added
lgtm/done
routers/web/repo/render.go
Outdated
| @@ -62,12 +62,14 @@ func RenderFile(ctx *context.Context) { | |||
| treeLink += "/" + util.PathEscapeSegments(ctx.Repo.TreePath) | |||
| } | |||
|
|
|||
| ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'; sandbox allow-scripts") | |||
| ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'; sandbox allow-scripts allow-same-origin") | |||
There was a problem hiding this comment.
If the rendered content contains user's javascript, would allow-same-origin cause XSS?
There was a problem hiding this comment.
Iframe with sandbox attributes allow-scripts allow-same-origin allows the embedee to remove the sandbox attribute. From MDN:
When the embedded document has the same origin as the embedding page, it is strongly discouraged to use both allow-scripts and allow-same-origin, as that lets the embedded document remove the sandbox attribute — making it no more secure than not using the sandbox attribute at all.
Not that I see a big issue here because openapi specs can not contain executable code.
There was a problem hiding this comment.
But this code is for all renders, not only for OpenAPI.
There was a problem hiding this comment.
For PDF renderer, it can definitely be an issue as those could maybe contain JS.
There was a problem hiding this comment.
So if the iframe really needs allow-same-origin, we should specifically allow it only for the openapi renderer, otherwise remove the attribute. In fact, I strongly prefer removal to avoid future security issues.
GiteaBot
added
lgtm/need 1
|
The current swagger.js just supports 2.0 specification and just support JSON file. It needs to be changed to support 3.0 specification and YAML file. |
We use the latest swagger-ui available (from npm), so it should support everything up to openapi 3.1, json or yaml. |
|
I'll give this a review/test soon. |
|
Hmm I do get |
Fixed it with 897be68, now openapi 3.1 renders fine. |
|
d866b87 makes it work for yaml specs as well. Had to add the yaml parser dependency as swagger-ui can only process js objects. |
|
TODOs:
|
silverwind
force-pushed
the
lunny/support_render_openapi
branch
from
1041279 to
3c91b09
Compare
|
Oops, I think I destroyed this PR with some force-push action (it wouldn't let me push my latest commit even after ensuring I was on tip multiple times via reset and branch re-creation). New PR to continue: #26802 |
Fix #20852
At the beginning, I want to use iframe but finally I found it'd difficult to implement it safely. So the new idea is open a new page to render the file.
There will be a placeholder button
And click the button will redirect to the real render page.