Skip to content

UI version 5.20 breaks relative Oauth2 URls #10340

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Tornhoof opened this issue Mar 4, 2025 · 1 comment
Open

UI version 5.20 breaks relative Oauth2 URls #10340

Tornhoof opened this issue Mar 4, 2025 · 1 comment
Labels
cat: security P1 type: bug

Comments

@Tornhoof
Copy link

Tornhoof commented Mar 4, 2025
edited
Loading

Q&A (please complete the following information)

  • OS: [e.g. macOS]: Windows
  • Browser: [e.g. chrome, safari]: Chrome
  • Version: [e.g. 22] 133
  • Method of installation: [e.g. npm, dist assets] dist assets
  • Swagger-UI version: [e.g. 3.10.0] 5.20
  • Swagger/OpenAPI version: [e.g. Swagger 2.0, OpenAPI 3.0] OpenAPI 3.0

Content & configuration

Swagger-UI configuration options:

 "securitySchemes": {
      "OIDC": {
        "type": "oauth2",
        "description": "Bearer Authentication",
        "flows": {
          "authorizationCode": {
            "authorizationUrl": "./../identity/connect/authorize",
            "tokenUrl": "./../identity/connect/token",
            "scopes": {
              "api": "API Scope"
            }
          }
        }
      }
    }

Describe the bug you're encountering

Assuming the swagger endpoint is /swagger and
assuming you have relative OAuth2 configuration URLs, with relative URIs, V5.20 redirects to
"/swagger/identity/connect/authorize" on clicking the Authorize button. It ignores the relative "../" part from the url.

Example:
https://localhost/swagger with swagger json on https://localhost/swagger/v1/swagger.json, then the above configuration redirects to: https://localhost/swagger/identity/connect/authorize, instead of https://localhost/identity/connect/authorize.

To reproduce...

Steps to reproduce the behavior:
Configure relative OAuth2 security scheme as above, with any given swagger config and click Authorize

Expected behavior

It redirects to "/identity/connect/authorize"

Additional context or thoughts

This works in 5.19.

this was found in Swashbuckle for .NET and repro'd to be the UI change
domaindrivendev/Swashbuckle.AspNetCore#3287
@martincostello martincostello mentioned this issue Mar 4, 2025
Closed
@Tornhoof
Copy link
Author

Tornhoof commented Mar 4, 2025
edited
Loading

I did a few more experiments. If I look at the changes in 5.20, there were changes regarding url sanitization, so this might be a side effect of those.

  • ./../ does not work
  • /../ works, but only if the path segment ../ points to root, as / anchors it to root
  • ../ does not work

@zaa4wz zaa4wz mentioned this issue Mar 6, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cat: security P1 type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Tornhoof @ponelat