security/fix-swagger-info-leak-m02 (#29283)

Co-authored-by: crazywoola <100913391+crazywoola@users.noreply.github.com>

api/libs/external_api.py

@@ -131,12 +131,28 @@ class ExternalApi(Api):
     }
 
     def __init__(self, app: Blueprint | Flask, *args, **kwargs):
+        import logging
+        import os
+
         kwargs.setdefault("authorizations", self._authorizations)
         kwargs.setdefault("security", "Bearer")
-        kwargs["add_specs"] = dify_config.SWAGGER_UI_ENABLED
-        kwargs["doc"] = dify_config.SWAGGER_UI_PATH if dify_config.SWAGGER_UI_ENABLED else False
+
+        # Security: Use computed swagger_ui_enabled which respects DEPLOY_ENV
+        swagger_enabled = dify_config.swagger_ui_enabled
+        kwargs["add_specs"] = swagger_enabled
+        kwargs["doc"] = dify_config.SWAGGER_UI_PATH if swagger_enabled else False
 
         # manual separate call on construction and init_app to ensure configs in kwargs effective
         super().__init__(app=None, *args, **kwargs)
         self.init_app(app, **kwargs)
         register_external_error_handlers(self)
+
+        # Security: Log warning when Swagger is enabled in production environment
+        deploy_env = os.environ.get("DEPLOY_ENV", "PRODUCTION")
+        if swagger_enabled and deploy_env.upper() == "PRODUCTION":
+            logger = logging.getLogger(__name__)
+            logger.warning(
+                "SECURITY WARNING: Swagger UI is ENABLED in PRODUCTION environment. "
+                "This may expose sensitive API documentation. "
+                "Set SWAGGER_UI_ENABLED=false or remove the explicit setting to disable."
+            )