security/fix-swagger-info-leak-m02 (#29283)

Co-authored-by: crazywoola <100913391+crazywoola@users.noreply.github.com>
2025-12-15 11:24:06 +08:00
parent 7fead6a9da
commit 355a2356d4
4 changed files with 61 additions and 8 deletions
--- a/api/configs/feature/init.py
+++ b/api/configs/feature/init.py
@@ -1221,9 +1221,19 @@ class WorkflowLogConfig(BaseSettings):


 class SwaggerUIConfig(BaseSettings):
-    SWAGGER_UI_ENABLED: bool = Field(
-        description="Whether to enable Swagger UI in api module",
-        default=True,
+    """
+    Configuration for Swagger UI documentation.
+
+    Security Note: Swagger UI is automatically disabled in PRODUCTION environment
+    to prevent API information disclosure. Set SWAGGER_UI_ENABLED=true explicitly
+    to enable in production if needed.
+    """
+
+    SWAGGER_UI_ENABLED: bool | None = Field(
+        description="Whether to enable Swagger UI in api module. "
+        "Automatically disabled in PRODUCTION environment for security. "
+        "Set to true explicitly to enable in production.",
+        default=None,
    )

    SWAGGER_UI_PATH: str = Field(
@@ -1231,6 +1241,23 @@ class SwaggerUIConfig(BaseSettings):
        default="/swagger-ui.html",
    )

+    @property
+    def swagger_ui_enabled(self) -> bool:
+        """
+        Compute whether Swagger UI should be enabled.
+
+        If SWAGGER_UI_ENABLED is explicitly set, use that value.
+        Otherwise, disable in PRODUCTION environment for security.
+        """
+        if self.SWAGGER_UI_ENABLED is not None:
+            return self.SWAGGER_UI_ENABLED
+
+        # Auto-disable in production environment
+        import os
+
+        deploy_env = os.environ.get("DEPLOY_ENV", "PRODUCTION")
+        return deploy_env.upper() != "PRODUCTION"
+

 class TenantIsolatedTaskQueueConfig(BaseSettings):
    TENANT_ISOLATED_TASK_CONCURRENCY: int = Field(