#How do I disable petstore example in @nestjs/swagger?

My usual swagger is at /api and OpenAPI at /api-json but I see a random petstore example at /api/index.html. How can I disable this?

I tried looking but found no answers: #1078231748304977931 message

https://github.com/nestjs/swagger/issues/1048

https://github.com/nestjs/swagger/issues/2475

Yes, others mentioned this!

• #1078231748304977931 message
• https://stackoverflow.com/questions/43888952
  I believe this is a routing bug in @nestjs/swagger where it doesn't have a proper handler for index.html, making it fall back to the default swagger template and skip rendering the document. (press ctrl+u in your browser and compare those two pages) related file 👈🏼

Unfortunately, this is a low-priority bug, and it takes a lot of energy to convince Kamil that something is actually a bug!
Please create a new GH issue, reference the previous ones, and provide as much context as possible. A short screen recording or some screenshots would help. 🙂

Hey folks, any news about this bug? I can see that the same behavior happens to the /api/api route.

do you know if there is any open issue on github (https://github.com/nestjs/swagger/issues) about this bug? the ones I found looked like Kamil didn't get that this is a bug

I don't see any open issue for that

• https://github.com/nestjs/swagger/issues/1048
• https://github.com/nestjs/swagger/issues/2475

do you mind on opening a new one clarifying why do you believe that this is a bug on @nestjs/swagger side?

Yea sure, I'll try to make one tomorrow

then I'll try to fix that next weekend

Done
https://github.com/nestjs/swagger/issues/3116

Hi @foggy storm , I'm not sure if this bug has been resolved, I'm having the same issue. If it has been resolved, please update me with the best patch.
Package: @nestjs/swagger
Version: 8.0.7
Env: MacOS, Linux

import { NestFactory } from '@nestjs/core'
import { SwaggerModule, DocumentBuilder } from '@nestjs/swagger'
import { AppModule } from './app.module'

async function bootstrap() {
    const app = await NestFactory.create(AppModule)

    const config = new DocumentBuilder()
        .setTitle('Cats example')
        .setDescription('The cats API description')
        .setVersion('1.0')
        .addTag('cats')
        .build()
    const documentFactory = () =>
        SwaggerModule.createDocument(app, config, { deepScanRoutes: false })
    SwaggerModule.setup('api', app, documentFactory)

    await app.listen(process.env.PORT ?? 3333)
}
bootstrap()

Bug: http://localhost:3333/api/api/

How did you test it? Can you provide a reproduction code?

@foggy storm I have a new update on my comment

Why are you sending a request to /api/api/? That isn't what have been discussed here.

Yes, I saw this on https://github.com/nestjs/swagger/issues/2475. And the bug can be inject HTML

Why would you send a request to the /api/api/? It doesn't matter what the server responds tbh, client shouldn't be hitting that route in the first place.

It should be a 404. But somehow it's still accessible. And I guess it's coming from @nestjs/swagger
And through this path, I can do an attack by injecting HTML. It's really dangerous, and we're having this issue so I've reported it to you, and wanted to confirm that this bug hasn't been fixed.

It should be a 404.
You may be correct, the logic for handling routes is not as strict as it should be.

Please feel free to document your thoughts in detail and in a structured format and submit them as a GitHub issue. It is not acceptable to make vague statements like "I can perform an HTML injection attack" or "oh, it's very dangerous" without providing sound reasoning to support those claims.

Sorry for my omission, I added a video of the bug proof from @nestjs/swagger