Fix reported vulnerability (#290)

zmievsa · web-flow · commit b424ecd57cd8 · 2025-07-05T19:33:56.000+02:00
diff --git a/.all-contributorsrc b/.all-contributorsrc
@@ -1,4 +1,4 @@
 {
     "projectName": "cadwyn",
     "projectOwner": "zmievsa"
-}
+}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,12 @@ Please follow [the Keep a Changelog standard](https://keepachangelog.com/en/1.0.
 
 ## [Unreleased]
 
+## [5.4.3]
+
+### Fixed
+
+* XSS vulnerability in `/docs` and `/redoc` endpoints where the `version` parameter was not properly sanitized, allowing potential cross-site scripting attacks
+
 ## [5.4.2]
 
 ### Fixed
diff --git a/cadwyn/applications.py b/cadwyn/applications.py
@@ -5,6 +5,7 @@
 from logging import getLogger
 from pathlib import Path
 from typing import TYPE_CHECKING, Annotated, Any, Optional, Union, cast
+from urllib.parse import quote
 
 import fastapi
 from fastapi import APIRouter, FastAPI, HTTPException, routing
@@ -389,7 +390,7 @@ async def swagger_dashboard(self, req: Request) -> Response:
 
         if version:
             root_path = self._extract_root_path(req)
-            openapi_url = root_path + f"{self.openapi_url}?version={version}"
+            openapi_url = root_path + f"{self.openapi_url}?version={quote(version, safe='')}"
             oauth2_redirect_url = self.swagger_ui_oauth2_redirect_url
             if oauth2_redirect_url:
                 oauth2_redirect_url = root_path + oauth2_redirect_url
@@ -407,7 +408,7 @@ async def redoc_dashboard(self, req: Request) -> Response:
 
         if version:
             root_path = self._extract_root_path(req)
-            openapi_url = root_path + f"{self.openapi_url}?version={version}"
+            openapi_url = root_path + f"{self.openapi_url}?version={quote(version, safe='')}"
             return get_redoc_html(openapi_url=openapi_url, title=f"{self.title} - ReDoc")
 
         return self._render_docs_dashboard(req, docs_url=cast("str", self.redoc_url))
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "cadwyn"
-version = "5.4.2"
+version = "5.4.3"
 description = "Production-ready community-driven modern Stripe-like API versioning in FastAPI"
 authors = [{ name = "Stanislav Zmiev", email = "zmievsa@gmail.com" }]
 license = "MIT"
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`	`1`	`{`
`2`	`2`	`"projectName": "cadwyn",`
`3`	`3`	`"projectOwner": "zmievsa"`
`4`		`-}`
	`4`	`+}`