Dependency 'uri-template-lite' does not pass strict Content Security Policy

[MrFix93]

Our application uses a strict Content Security Policy (script-src 'self'). This policy does not allow any runtime code generation. However, Redoc is not able to render anymore as the dependency, uri-template-lite, defines functions by concatenating string. This practice is vulnerable for XSS attacks as we can hardly distinguish XSS attacks from normal behaviour.

The error you get when the CSP policy is strict:

Something went wrong...
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self'".
Stack trace
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self'".

    at Function (<anonymous>)
    at new e.Template (http://localhost:8080/main.8c597251c61602a065f6.js:159:1365)
    at Pe (http://localhost:8080/main.8c597251c61602a065f6.js:48:215000)
    at http://localhost:8080/main.8c597251c61602a065f6.js:48:215957
    at je (http://localhost:8080/main.8c597251c61602a065f6.js:48:216496)
    at t.render (http://localhost:8080/main.8c597251c61602a065f6.js:48:311495)
    at Oo (http://localhost:8080/main.8c597251c61602a065f6.js:69:63010)
    at To (http://localhost:8080/main.8c597251c61602a065f6.js:69:62805)
    at Ro (http://localhost:8080/main.8c597251c61602a065f6.js:69:66639)
    at $a (http://localhost:8080/main.8c597251c61602a065f6.js:69:90683)

ReDoc Version: 2.0.0-rc.12 
Commit: 36ebbb1

Currently, I'm preparing a PR to fix this issue.

[RomanHotsiy]

Oh.. A lot of issues emerged after merging PR with uri-template-lite...

Currently, I'm preparing a PR to fix this issue.

Awesome! 👍 How are you going to fix it?

[MrFix93]

I swap the uri-template-lite to url-template.

[RomanHotsiy]

The only thing that I am concerned about is that url-template has been last updated 3 years ago. But considering it doesn't have any dependencies, I don't think it's an issue.

[MartinKanters]

I would love to see this in a new version! We are currently blocked by this pretty heavily. Any idea when a new release candidate can be released?

[RomanHotsiy]

Going to release a new version on weekends

[MartinKanters]

Perfect, thanks!

[MrFix93]

@RomanHotsiy Any update on releasing the fix? Unfortunately, we are still blocked by this issue.

[MartinKanters]

@RomanHotsiy Sorry to bother you again, Roman, but can I help somehow to streamline this process of the release? I don't want to be a nuisance, but this PR improves the security a lot of the project :)

[RomanHotsiy]

Sorry for super long delay. I was traveling. I am about to release a new version.