Improve README, describe sec vuln 975 and 976

strongloop · Nov 21, 2019 · 8a0545c · 8a0545c
1 parent 9c27584
commit 8a0545c
Showing 1 changed file with 16 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -39,13 +39,26 @@ console.log("Explorer mounted at localhost:" + port + "/explorer");
 app.listen(port);
 ```
 
-## swagger-ui vulnerabilities
+## A note on swagger-ui vulnerabilities
 
-Regarding the security vulnerability on one of our dependencies `swagger-ui`: https://www.npmjs.com/advisories/985
+API Explorer for LoopBack 3 is built on top of `swagger-ui` version 2.x which is no longer maintained. While there are known security vulnerabilities in `swagger-ui`, we believe they don't affect LoopBack users. 
 
+We would love to upgrade our (LB3) API Explorer to v3 of swagger-ui, but unfortunately such upgrade requires too much effort and more importantly addition of new features to LB3 runtime, which would break our LTS guarantees. For more details, see discussion in [loopback-component-explorer#263](https://github.com/strongloop/loopback-component-explorer/issues/263).
+
+https://www.npmjs.com/advisories/985
 > Versions of swagger-ui prior to 3.0.13 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize YAML files imported from URLs or copied-pasted. This may allow attackers to execute arbitrary JavaScript.
 
-LoopBack's API Explorer does not allow clients to import swagger spec from YAML URL/pasted-content. That means loopback-component-explorer **IS NOT AFFECTED** by this vulnerability. For more details, see discussion in https://github.com/strongloop/loopback-component-explorer/issues/263#issuecomment-529385166. 
+LoopBack's API Explorer does not allow clients to import swagger spec from YAML URL/pasted-content. That means loopback-component-explorer **IS NOT AFFECTED** by this vulnerability. 
+
+https://www.npmjs.com/advisories/975
+> Versions of swagger-ui prior to 3.18.0 are vulnerable to Reverse Tabnapping. The package uses `target='_blank'` in anchor tags, allowing attackers to access `window.opener` for the original page. This is commonly used for phishing attacks.
+
+This vulnerability affects anchor tags created from metadata provided by the Swagger spec, for example `info.termsOfServiceUrl`. LoopBack's API Explorer does not allow clients to provide custom swagger spec, URLs like `info.termsOfServiceUrl` are fully in control of the LoopBack application developer. That means loopback-component-explorer **IS NOT AFFECTED** by this vulnerability.
+
+https://www.npmjs.com/advisories/976
+> Versions of swagger-ui prior to 3.20.9 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize URLs used in the OAuth auth flow, which may allow attackers to execute arbitrary JavaScript.
+
+LoopBack 3 API Explorer does not support OAuth auth flow, that means loopback-component-explorer **IS NOT AFFECTED** by this vulnerability.
 
 ## Upgrading from v1.x