try to make swagger safer with send_file

2020-04-19 11:22:28 +01:00
parent ed1cf3e2cd
commit da33478504
18 changed files with 6 additions and 9 deletions
--- a/lib/App/Netdisco/Configuration.pm
+++ b/lib/App/Netdisco/Configuration.pm
@@ -221,7 +221,7 @@ if (setting('reports') and ref {} eq ref setting('reports')) {
 config->{'reports'} = [ @{setting('system_reports')}, @{setting('reports')} ];

 # set swagger ui location
-config->{plugins}->{Swagger}->{ui_dir}
-  = dir(dist_dir('App-Netdisco'), 'swagger-ui')->absolute;
+#config->{plugins}->{Swagger}->{ui_dir} =
+  #dir(dist_dir('App-Netdisco'), 'share', 'public', 'swagger-ui')->absolute;

 true;
--- a/lib/App/Netdisco/Web.pm
+++ b/lib/App/Netdisco/Web.pm
@@ -306,16 +306,12 @@ get $swagger_base => sub {
 get $swagger_base.'/' => sub {
    # user might request /swagger-ui/ initially (Plugin doesn't handle this)
    params->{url} or redirect uri_for($swagger_base)->path;
-
-    my $file = $swagger->ui_dir->child('index.html');
-    send_error "file not found", 404 unless -f $file;
-    return $file->slurp;
+    send_file( 'swagger-ui/index.html' );
 };

+# omg the plugin uses system_path and we don't want to go there
 get $swagger_base.'/**' => sub {
-    my $file = $swagger->ui_dir->child( @{ (splat())[0] } );
-    send_error "file not found", 404 unless -f $file;
-    send_file $file, system_path => 1;
+    send_file( join '/', 'swagger-ui', @{ (splat())[0] } );
 };

 # remove empty lines from CSV response
--- a/share/config.yml
+++ b/share/config.yml
@@ -500,6 +500,7 @@ plugins:
     main_api_module: 'App::Netdisco'
     ui_url: '/swagger-ui'
     show_ui: false
+     ui_dir: '/dev/null'
  Auth::Extensible:
    no_api_change_warning: true
    no_default_pages: true
--- a/share/public/swagger-ui/favicon-16x16.png
+++ b/share/public/swagger-ui/favicon-16x16.png
--- a/share/public/swagger-ui/favicon-32x32.png
+++ b/share/public/swagger-ui/favicon-32x32.png
--- a/share/public/swagger-ui/index.html
+++ b/share/public/swagger-ui/index.html
--- a/share/public/swagger-ui/oauth2-redirect.html
+++ b/share/public/swagger-ui/oauth2-redirect.html
--- a/share/public/swagger-ui/swagger-ui-bundle.js
+++ b/share/public/swagger-ui/swagger-ui-bundle.js
--- a/share/public/swagger-ui/swagger-ui-bundle.js.map
+++ b/share/public/swagger-ui/swagger-ui-bundle.js.map
--- a/share/public/swagger-ui/swagger-ui-json-tree-plugin.js
+++ b/share/public/swagger-ui/swagger-ui-json-tree-plugin.js
--- a/share/public/swagger-ui/swagger-ui-json-tree-plugin.js.map
+++ b/share/public/swagger-ui/swagger-ui-json-tree-plugin.js.map
--- a/share/public/swagger-ui/swagger-ui-standalone-preset.js
+++ b/share/public/swagger-ui/swagger-ui-standalone-preset.js
--- a/share/public/swagger-ui/swagger-ui-standalone-preset.js.map
+++ b/share/public/swagger-ui/swagger-ui-standalone-preset.js.map
--- a/share/public/swagger-ui/swagger-ui.css
+++ b/share/public/swagger-ui/swagger-ui.css
--- a/share/public/swagger-ui/swagger-ui.css.map
+++ b/share/public/swagger-ui/swagger-ui.css.map
--- a/share/public/swagger-ui/swagger-ui.js
+++ b/share/public/swagger-ui/swagger-ui.js
--- a/share/public/swagger-ui/swagger-ui.js.map
+++ b/share/public/swagger-ui/swagger-ui.js.map
--- a/share/public/swagger-ui/version-3.20.3
+++ b/share/public/swagger-ui/version-3.20.3