Category: Coding Mistakes
Unsafe swagger Content Security Policy
Low Severity
Low Impact
Low Likelihood
Description
The default Content-Security-Policy (CSP) header value for staking-api-service is safe, but a second CSP is used for /swagger/*
routes:
// CSP for /swagger/* path
swaggerCSP := "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://stackpath.bootstrap.com ..."
// Choose the appropriate CSP based on the request path
csp := defaultCSP
if strings.HasPrefix(r.URL.Path, swaggerPathPrefix) {
csp = swaggerCSP
}
This CSP is unsafe due to the script-src
directive allowing 'unsafe-inline'
, as it allows the execution of in-line scripts.
Impact
If an attacker were able to find cross-site scripting on a /swagger/*
path, they would be able to execute arbitrary JavaScript.
The exploitability depends on the security of the http-swagger Go package, but there are known issues with the package.
Recommendations
Replace 'unsafe-inline'
from the script-src
directive with the minimum set of required JavaScript sources for swagger to run.
Remediation
This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit b91749b3↗.