Security: External CDN Scripts in Swagger UI

[tomaioo]

Summary

Security: External CDN Scripts in Swagger UI

Problem

Severity: High | File: packages/fets/src/swagger-ui.html:L38

In packages/fets/src/swagger-ui.html, external scripts are loaded from unpkg.com CDN without integrity checks. This makes the application vulnerable to supply chain attacks if the CDN is compromised.

Solution

Add Subresource Integrity (SRI) hashes to the external script tags. For example: <script src='https://unpkg.com/swagger-ui-dist/swagger-ui-bundle.js' crossorigin integrity='sha384-...'></script>

Changes

• packages/fets/src/swagger-ui.html (modified)

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated Swagger UI CDN resources to pinned versions for improved stability and security with integrity attribute verification.

Walkthrough

The Swagger UI HTML file updates CDN resource URLs to use pinned @5.11.0 versions for both CSS and JavaScript bundles, replacing unpinned references. An integrity attribute is added to the script tag for subresource integrity verification.

Changes

Swagger UI Dependency Pinning

Layer / File(s)	Summary
Resource Versioning packages/fets/src/swagger-ui.html	Swagger UI CSS and JS bundle URLs pinned to @5.11.0 with added integrity attribute on the script tag for security verification.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A rabbit hops through versioned lands,
No floating URLs in our hands!
With @5.11.0 pinned so tight,
And integrity hashes burning bright,
Our dependencies now stand their ground! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding security measures (SRI integrity checks) to external CDN scripts in Swagger UI.
Description check	✅ Passed	The description clearly explains the security vulnerability, the severity, the solution with SRI hashes, and the affected file, all directly related to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

packages/fets/src/swagger-ui.html (1)

12-12: ⚖️ Poor tradeoff

CSS @import inside <style> blocks cannot carry SRI

The version pin to @5.11.0 is a good improvement, but SRI (integrity attribute) only applies to <link> and <script> elements — not to CSS @import rules inside a <style> block. Both CDN-loaded stylesheets (lines 9 and 12) remain unprotected against supply-chain tampering.

To get SRI coverage on the CSS, convert the @import rules to <link rel="stylesheet"> elements with integrity and crossorigin attributes. This would also require restructuring the prefers-color-scheme conditional loading logic.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/fets/src/swagger-ui.html` at line 12, The CSS `@import` inside the
<style> block (the line importing
"https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui.css" with
"(prefers-color-scheme: light)") cannot use SRI, so replace that `@import` with a
<link rel="stylesheet"> element that includes integrity and crossorigin
attributes; move the other CDN stylesheet import(s) from style-based `@import`
into <link> tags as well, and implement the prefers-color-scheme conditional by
using link[media="(prefers-color-scheme: light)"] /
link[media="(prefers-color-scheme: dark)"] or by programmatically switching
hrefs in the document head, ensuring each <link> includes the correct integrity
hash and crossorigin="anonymous". Update the swagger-ui.html head where the
`@import` occurs and remove the `@import` rule from the <style> block.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/fets/src/swagger-ui.html`:
- Line 45: Replace the fake integrity attribute on the script tag that loads
swagger-ui-bundle.js: compute the real SHA-384 SRI value (e.g., by fetching
https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui-bundle.js and running
openssl dgst -sha384 -binary | openssl base64 -A) and update the integrity="..."
attribute on the <script src="...swagger-ui-bundle.js"> element so the integrity
value matches the actual file; keep crossorigin as-is and do not merge until the
computed hash replaces the placeholder.

---

Nitpick comments:
In `@packages/fets/src/swagger-ui.html`:
- Line 12: The CSS `@import` inside the <style> block (the line importing
"https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui.css" with
"(prefers-color-scheme: light)") cannot use SRI, so replace that `@import` with a
<link rel="stylesheet"> element that includes integrity and crossorigin
attributes; move the other CDN stylesheet import(s) from style-based `@import`
into <link> tags as well, and implement the prefers-color-scheme conditional by
using link[media="(prefers-color-scheme: light)"] /
link[media="(prefers-color-scheme: dark)"] or by programmatically switching
hrefs in the document head, ensuring each <link> includes the correct integrity
hash and crossorigin="anonymous". Update the swagger-ui.html head where the
`@import` occurs and remove the `@import` rule from the <style> block.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4e785a5a-aec4-4f4e-b15a-855e21e5004b

📥 Commits

Reviewing files that changed from the base of the PR and between 7f4e959 and e3ffc92.

📒 Files selected for processing (1)

• packages/fets/src/swagger-ui.html

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

The SRI hash is a fake placeholder — Swagger UI will be completely broken

The integrity value sha384-7u9nq7L2L5R2LqS3Q3L9L5L5L5L5L5L5L5L5L5L5L5L5L5L5L5L5L5L5L5L5 is not a real cryptographic hash. The trailing segment is a repeating L5 pattern — a telltale sign of a manually typed placeholder, not an actual SHA-384 digest.

SRI works by allowing you to provide a cryptographic hash that a fetched resource must match. If the computed value for the downloaded file is different from the listed attribute, the script does not run. A wrong hash does not degrade gracefully — the browser will block the script entirely, rendering Swagger UI non-functional for all users.

Compute the real hash before merging. The canonical one-liner is:

curl -s https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui-bundle.js | \
  openssl dgst -sha384 -binary | openssl base64 -A

Then update the attribute:

- <script src="https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui-bundle.js" crossorigin integrity="sha384-7u9nq7L2L5R2LqS3Q3L9L5L5L5L5L5L5L5L5L5L5L5L5L5L5L5L5L5L5L5L5"></script>
+ <script src="https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui-bundle.js" crossorigin="anonymous" integrity="sha384-<REAL_HASH>"></script>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/fets/src/swagger-ui.html` at line 45, Replace the fake integrity
attribute on the script tag that loads swagger-ui-bundle.js: compute the real
SHA-384 SRI value (e.g., by fetching
https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui-bundle.js and running
openssl dgst -sha384 -binary | openssl base64 -A) and update the integrity="..."
attribute on the <script src="...swagger-ui-bundle.js"> element so the integrity
value matches the actual file; keep crossorigin as-is and do not merge until the
computed hash replaces the placeholder.

[Copilot]

Pull request overview

Mitigates supply-chain risk in the generated Swagger UI HTML by pinning CDN assets and adding Subresource Integrity metadata for externally loaded scripts.

Changes:

• Pin swagger-ui-dist CDN URLs to @5.11.0 for Swagger UI CSS and bundle JS.
• Add an integrity attribute to the external swagger-ui-bundle.js script tag.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.