Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Babylon Genesis Chain>Low findings>Unsafe swagger Content Security Policy
GeneralOverview
Findings
Critical (10)
High (4)
Medium (4)
Low (7)Inability to restore confirmed checkpoints to sealed stateLack of commission-rate change restrictions in EditFinalityProviderHide slashing targets from vigilante by spammingPublic randomness reset due to block-height overflowIncorrect negative checksUnsafe swagger Content Security PolicyMultiple issues when inputting password for the BLS keystore
Informational (7)
DiscussionBabylon node module-wise reviewed parametersDependency management and vulnerability assessmentPanic handling in ABCI++ handlersBehavior of MissedBlocksCounter on consecutive windows
DesignModule: btclightclientModule: btccheckpointModule: checkpointingModule: epochingModule: finalityModule: incentiveModule: monitorModule: mintModule: btcstakingbtc-stakerstaking-expiry-checkerbtc-staking-tsVigilante reporterVigilante submitterVigilante monitor (BTC timestamping monitor)Vigilante BTC staking trackerCryptographyFinality providerCovenant emulatorModule: staking-queue-clientstaking-api-servicebabylon-staking-indexersimple-staking
Audit ResultsAssessment Results
AddendumAddendumNonce reuse in adaptor signatures allows recovering signing key testsKey recovery succeeding on output from a btc-delegations query test
Category: Coding Mistakes

Unsafe swagger Content Security Policy

Low Severity
Low Impact
Low Likelihood

Description

The default Content-Security-Policy (CSP) header value for staking-api-service is safe, but a second CSP is used for /swagger/* routes:

// CSP for /swagger/* path
swaggerCSP := "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://stackpath.bootstrap.com ..."

// Choose the appropriate CSP based on the request path
csp := defaultCSP
if strings.HasPrefix(r.URL.Path, swaggerPathPrefix) {
    csp = swaggerCSP
}

This CSP is unsafe due to the script-src directive allowing 'unsafe-inline', as it allows the execution of in-line scripts.

Impact

If an attacker were able to find cross-site scripting on a /swagger/* path, they would be able to execute arbitrary JavaScript.

The exploitability depends on the security of the http-swagger Go package, but there are known issues with the package.

Recommendations

Replace 'unsafe-inline' from the script-src directive with the minimum set of required JavaScript sources for swagger to run.

Remediation

This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit b91749b3.

Zellic © 2025Back to top ↑