Generate Local Swagger Documentation Security Note Missing

[ryantfowler]

This issue is a:

• Bug on the website
• New topic request
• Topic clarification request
• New DevDocs feature request
• Other

Description:

The current documentation fails to mention that on a production system the /swagger path should be considered for mitigation (either via webserver configuration or M2 Admin URL Rewrite rule). Even though this path only lists the API endpoints available to anonymous users, it can also publish information about a Magento installation, such as it being Open Source vs Commerce ... or potentially show 3rd party extensions that publish API endpoints ... allowing a potential attacker to gain information about a target.

Steps to reproduce

Simply go to a known M2 installation and update the path in the url to /swagger

Expected result:

A suggestion in the documentation that on a production system, this path should be ignored ... or at least knowledge of the fact that without any action being taken, a list of anonymous API endpoints is available to anyone requesting the /swagger path.

Possible solutions:

A simple note added to the page about a production consideration being to prevent access to this path, and adding a link to this note on a security page and production configuration page in the documentation. That way if someone is looking into suggested security configurations for M2 or if someone is looking at suggested production configurations for M2, that a link to this information is present.

Additional information:

Basically without this issue being highlighted, many M2 installations have been, and will continue to be, installed leaving a vulnerability for information gathering from a potential attacker. If a potential attacker was trying to fingerprint a site or try to identify what the underlying framework is, at the very least the /swagger path will disclose if an installation is M2 Open Source or Commerce.

If this is something that is agreed to be taken into consideration, I am happy to go about creating a PR to publish a note about this and potential steps of mitigation.

[jeff-matthews]

Hi @ryantfowler! What type of mitigations would you recommend?

[ryantfowler]

@jeff-matthews there are two fairly simple courses of mitigation. The first would be a simple webserver configuration (Nginx or Apache, etc) that prevent access to this path on a production server. The second one would be to use url rewrite rules to redirect this request path (/swagger) to the homepage (as an example).

[jeff-matthews]

Maybe we need a link to this topic?

https://devdocs.magento.com/guides/v2.2/rest/anonymous-api-security.html

[ryantfowler]

That topic is definitely on topic here, but it's specifically dealing with the APIs being made available to anonymous interaction, and not specifically about Swagger UI generating documentation on those APIs. The thrust of this issue is specifically for the Swagger UI default behavior with the /swagger path. This is why I wanted to raise the issue to see if we could at least add a note to bring this to people's attention...as once I discovered this, I was able to visit known M2 sites and immediately see information that would make any security professional cringe.

[keharper]

@ryantfowler You raise a valid point, and I'd be happy to work with you on this. I asked an internal developer about this, and he also mentioned that you can disable the swagger module as a brute force method.

[ryantfowler]

@keharper hi! Yes, this was another approach that I had thought about, which I agree would work. The two I have suggested so far are easier to implement, but I think providing a list of possible courses of actions might be good, as this could better cater to different user's level of experience. But at least pointing this out I think is important.

[ryantfowler]

Maybe we need a link to this topic?

https://devdocs.magento.com/guides/v2.2/rest/anonymous-api-security.html

@jeff-matthews I suppose that would work, as long as following the instructions on that page do, in fact, suppress any of the anonymouse API endpoints' information from being shown with the /swagger path in a store's URL.

[dobooth]

@keharper Is this still germane?