From e128c3501a8572b92ab5194843587213e20466a5 Mon Sep 17 00:00:00 2001
From: Ernesto Puerta <epuertat@redhat.com>
Date: Thu, 13 May 2021 17:43:56 +0200
Subject: [PATCH] mgr/dashboard: fix cookie injection issue

Fixes: CVE-2021-3509
Signed-off-by: Ernesto Puerta <epuertat@redhat.com>
---
 src/pybind/mgr/dashboard/controllers/docs.py | 31 ++------------------
 1 file changed, 3 insertions(+), 28 deletions(-)

diff --git a/src/pybind/mgr/dashboard/controllers/docs.py b/src/pybind/mgr/dashboard/controllers/docs.py
index 295a36ad85594..e7ed9742ab9d2 100644
--- a/src/pybind/mgr/dashboard/controllers/docs.py
+++ b/src/pybind/mgr/dashboard/controllers/docs.py
@@ -8,7 +8,7 @@ import cherrypy
 
 from .. import DEFAULT_VERSION, mgr
 from ..api.doc import Schema, SchemaInput, SchemaType
-from . import ENDPOINT_MAP, BaseController, Controller, Endpoint, allow_empty_body
+from . import ENDPOINT_MAP, BaseController, Controller, Endpoint
 
 NO_DESCRIPTION_AVAILABLE = "*No description available*"
 
@@ -383,31 +383,13 @@ class Docs(BaseController):
     def api_all_json(self):
         return self._gen_spec(True, "/")
 
-    def _swagger_ui_page(self, all_endpoints=False, token=None):
+    def _swagger_ui_page(self, all_endpoints=False):
         base = cherrypy.request.base
         if all_endpoints:
             spec_url = "{}/docs/api-all.json".format(base)
         else:
             spec_url = "{}/docs/api.json".format(base)
 
-        auth_header = cherrypy.request.headers.get('authorization')
-        auth_cookie = cherrypy.request.cookie['token']
-        jwt_token = ""
-        if auth_cookie is not None:
-            jwt_token = auth_cookie.value
-        elif auth_header is not None:
-            scheme, params = auth_header.split(' ', 1)
-            if scheme.lower() == 'bearer':
-                jwt_token = params
-        else:
-            if token is not None:
-                jwt_token = token
-
-        api_key_callback = """, onComplete: () => {{
-                        ui.preauthorizeApiKey('jwt', '{}');
-                    }}
-        """.format(jwt_token)
-
         page = """
         <!DOCTYPE html>
         <html>
@@ -448,14 +430,13 @@ class Docs(BaseController):
                         SwaggerUIBundle.presets.apis
                     ],
                     layout: "BaseLayout"
-                    {}
                 }})
                 window.ui = ui
             }}
         </script>
         </body>
         </html>
-        """.format(spec_url, api_key_callback)
+        """.format(spec_url)
 
         return page
 
@@ -463,12 +444,6 @@ class Docs(BaseController):
     def __call__(self, all_endpoints=False):
         return self._swagger_ui_page(all_endpoints)
 
-    @Endpoint('POST', path="/", json_response=False,
-              query_params="{all_endpoints}", version=None)
-    @allow_empty_body
-    def _with_token(self, token, all_endpoints=False):
-        return self._swagger_ui_page(all_endpoints, token)
-
 
 if __name__ == "__main__":
     import sys
-- 
2.39.5