Git Product home page Git Product logo

purestorage-openconnect / swagger Goto Github PK

View Code? Open in Web Editor NEW
14.0 5.0 8.0 11.37 MB

This is a tool that provides the Pure FlashArray and FlashBlade API documentation into the popular interactive Swagger UI. This lets you browse the API documentation in a convienent format and even execute API calls interactively directly to a FlashArray or FlashBlade!

License: Apache License 2.0

Shell 1.40% HTML 8.35% Python 87.78% Dockerfile 2.47%

swagger's Introduction

Pure Swagger

This is a tool that provides the Pure Storage FlashArray and FlashBlade API documentation into the popular interactive Swagger UI. This lets you browse the API documentation in a convenient format and even execute API calls interactively directly to a FlashArray or FlashBlade!

Try It:

Requires docker to be installed

docker run -it --rm -p 80:5000 quay.io/purestorage/swagger

Then open your browser to http://127.0.0.1 Then select an API spec and enter your FlashArray or FlashBlade IP.

To stop run:

just ctrl^c on the console docker container

Update to the latest version

docker pull quay.io/purestorage/swagger

Authentication Examples Videos

FlashBlade 1.x API Token

Flash Blade 1.x Token Auth

FlashArray 1.x API Token

Flash Array 1.x Token Auth

FlashArray 2.2+ API Token

Flash Array 2.x Token Auth

FlashArray 2.0+ OAuth2 API Client Auth

Flash Array 2.x OAuth2

Screenshots

Documentation in collapsable easy to read format

docs

See detailed paramater information

array_details

See body param documentation

array_details

Every Endpoint is documented !

array_details

Actually send API commands to an Array:

array_details

Start a session:

array_details

Get Controller Info:

array_details

Notes:

In order to send API calls to an array you must

  1. Have a FlashArray or FlashBlade and login credentials

swagger's People

Contributors

sile16 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

dot-sean amitabh1982 418sec mikenelson-io tlewis-ps porcupineyhairs azaman-ps

swagger's Issues

Security Vulnerability Found

Absolute Path Traversal due to incorrect use of send_file call

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.

Root Cause Analysis

The os.path.join call is unsafe for use with untrusted input. When the os.path.join call encounters an absolute path, it ignores all the parameters it has encountered till that point and starts working with the new absolute path. Please see the example below.

>>> import os.path
>>> static = "path/to/mySafeStaticDir"
>>> malicious = "/../../../../../etc/passwd"
>>> os.path.join(t,malicious)
'/../../../../../etc/passwd'

Since the "malicious" parameter represents an absolute path, the result of os.path.join ignores the static directory completely. Hence, untrusted input is passed via the os.path.join call to flask.send_file can lead to path traversal attacks.

In this case, the problems occurs due to the following code :

swagger/server/server.py

Line 181 in febe018

return send_file(abs_path, as_attachment=True)

Here, the req_path parameter is attacker controlled. This parameter passes through the unsafe os.path.join call making the effective directory and filename passed to the send_file call attacker controlled. This leads to a path traversal attack.

Proof of Concept

The bug can be verified using a proof of concept similar to the one shown below.

curl --path-as-is 'http://<domain>///../../../../etc/passwd"'

Remediation

This can be fixed by preventing flow of untrusted data to the vulnerable send_file function. In case the application logic necessiates this behaviour, one can either use the werkzeug.utils.safe_join to join untrusted paths or replace flask.send_file calls with flask.send_from_directory calls.

References

This bug was found using CodeQL by Github

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.