fix(parser): validate cookie parameter name

ogen-go · Mar 1, 2023 · 3eb6d6f · 3eb6d6f
1 parent 3a0d414
commit 3eb6d6f
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 0 deletions.
diff --git a/openapi/parser/_testdata/negative/parameters/cookie/invalid_cookie_name.json b/openapi/parser/_testdata/negative/parameters/cookie/invalid_cookie_name.json
@@ -0,0 +1,29 @@
+{
+  "openapi": "3.0.3",
+  "info": {
+    "title": "title",
+    "version": "v0.1.0"
+  },
+  "paths": {
+    "/foo": {
+      "get": {
+        "parameters": [
+          {
+            "name": "",
+            "in": "cookie",
+            "style": "form",
+            "explode": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "User info"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/openapi/parser/parse_parameter.go b/openapi/parser/parse_parameter.go
@@ -7,6 +7,7 @@ import (
 	"golang.org/x/net/http/httpguts"
 
 	"github.com/ogen-go/ogen"
+	"github.com/ogen-go/ogen/internal/httpcookie"
 	"github.com/ogen-go/ogen/internal/jsonpointer"
 	"github.com/ogen-go/ogen/internal/location"
 	"github.com/ogen-go/ogen/jsonschema"
@@ -110,6 +111,11 @@ func (p *parser) validateParameter(
 			err := errors.Errorf("invalid header name %q", name)
 			return p.wrapField("name", file, locator, err)
 		}
+	case openapi.LocationCookie:
+		if !httpcookie.IsCookieNameValid(name) {
+			err := errors.Errorf("invalid cookie name %q", name)
+			return p.wrapField("name", file, locator, err)
+		}
 	}
 	return nil
 }