fix(docker): disallow embedding SwaggerUI served from docker by default (#9520)

char0n · web-flow · commit f9ecb01aa8af · 2024-01-26T15:57:18.000+01:00
diff --git a/Dockerfile b/Dockerfile
@@ -13,9 +13,11 @@ ENV API_KEY="**None**" \
     PORT="8080" \
     PORT_IPV6="" \
     BASE_URL="/" \
-    SWAGGER_JSON_URL=""
+    SWAGGER_JSON_URL="" \
+    CORS="true" \
+    EMBEDDING="false"
 
-COPY --chown=nginx:nginx --chmod=0666 ./docker/default.conf.template ./docker/cors.conf /etc/nginx/templates/
+COPY --chown=nginx:nginx --chmod=0666 ./docker/default.conf.template ./docker/cors.conf ./docker/embedding.conf /etc/nginx/templates/
 
 COPY --chmod=0666 ./dist/* /usr/share/nginx/html/
 COPY --chmod=0555 ./docker/docker-entrypoint.d/ /docker-entrypoint.d/
diff --git a/docker/default.conf.template b/docker/default.conf.template
@@ -38,5 +38,6 @@
       }
 
       include templates/cors.conf;
+      include templates/embedding.conf;
     }
   }
diff --git a/docker/docker-entrypoint.d/40-swagger-ui.sh b/docker/docker-entrypoint.d/40-swagger-ui.sh
@@ -39,4 +39,14 @@ if [[ -n "${PORT_IPV6}" ]]; then
     sed -i "s|${PORT};|${PORT};\n    listen            [::]:${PORT_IPV6};|g" $NGINX_CONF
 fi
 
+# enable/disable CORS
+if [ "$CORS" != "true" ]; then
+  truncate -s 0 /etc/nginx/templates/cors.conf
+fi
+
+# allow/disallow embedding the swagger-ui in frames/iframes from different origins
+if [ "$EMBEDDING" != "false" ]; then
+  truncate -s 0 /etc/nginx/templates/embedding.conf
+fi
+
 find $NGINX_ROOT -type f -regex ".*\.\(html\|js\|css\)" -exec sh -c "gzip < {} > {}.gz" \;
diff --git a/docker/embedding.conf b/docker/embedding.conf
@@ -0,0 +1,5 @@
+#
+# Prevent displaying inside an iframe
+#
+add_header 'X-Frame-Options' 'DENY' always;
+add_header 'Content-Security-Policy' "frame-ancestors 'none'" always;

Original file line number	Diff line number	Diff line change
`@@ -38,5 +38,6 @@`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`include templates/cors.conf;`
	`41`	`+ include templates/embedding.conf;`
`41`	`42`	`}`
`42`	`43`	`}`