try to make swagger safer with send_file

lib/App/Netdisco/Configuration.pm

@@ -221,7 +221,7 @@ if (setting('reports') and ref {} eq ref setting('reports')) {
 config->{'reports'} = [ @{setting('system_reports')}, @{setting('reports')} ];
 
 # set swagger ui location
-config->{plugins}->{Swagger}->{ui_dir}
+#config->{plugins}->{Swagger}->{ui_dir} =
-  = dir(dist_dir('App-Netdisco'), 'swagger-ui')->absolute;
+  #dir(dist_dir('App-Netdisco'), 'share', 'public', 'swagger-ui')->absolute;
 
 true;

lib/App/Netdisco/Web.pm

@@ -306,16 +306,12 @@ get $swagger_base => sub {
 get $swagger_base.'/' => sub {
     # user might request /swagger-ui/ initially (Plugin doesn't handle this)
     params->{url} or redirect uri_for($swagger_base)->path;
-
+    send_file( 'swagger-ui/index.html' );
-    my $file = $swagger->ui_dir->child('index.html');
-    send_error "file not found", 404 unless -f $file;
-    return $file->slurp;
 };
 
+# omg the plugin uses system_path and we don't want to go there
 get $swagger_base.'/**' => sub {
-    my $file = $swagger->ui_dir->child( @{ (splat())[0] } );
+    send_file( join '/', 'swagger-ui', @{ (splat())[0] } );
-    send_error "file not found", 404 unless -f $file;
-    send_file $file, system_path => 1;
 };
 
 # remove empty lines from CSV response

share/config.yml

@@ -500,6 +500,7 @@ plugins:
      main_api_module: 'App::Netdisco'
      ui_url: '/swagger-ui'
      show_ui: false
+     ui_dir: '/dev/null'
   Auth::Extensible:
     no_api_change_warning: true
     no_default_pages: true