Assessment reports>Babylon Genesis Chain>Low findings>Unsafe swagger Content Security Policy
Category: Coding Mistakes

Unsafe swagger Content Security Policy

Low Severity
Low Impact
Low Likelihood

Description

The default Content-Security-Policy (CSP) header value for staking-api-service is safe, but a second CSP is used for /swagger/* routes:

// CSP for /swagger/* path
swaggerCSP := "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://stackpath.bootstrap.com ..."

// Choose the appropriate CSP based on the request path
csp := defaultCSP
if strings.HasPrefix(r.URL.Path, swaggerPathPrefix) {
    csp = swaggerCSP
}

This CSP is unsafe due to the script-src directive allowing 'unsafe-inline', as it allows the execution of in-line scripts.

Impact

If an attacker were able to find cross-site scripting on a /swagger/* path, they would be able to execute arbitrary JavaScript.

The exploitability depends on the security of the http-swagger Go package, but there are known issues with the package.

Recommendations

Replace 'unsafe-inline' from the script-src directive with the minimum set of required JavaScript sources for swagger to run.

Remediation

This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit b91749b3.

Zellic © 2025Back to top ↑