Skip to content

Commit

Permalink
fix(security): escape regular expression created from user input (#3506)
Browse files Browse the repository at this point in the history
Refs #3505
  • Loading branch information
glowcloud authored May 8, 2024
1 parent 43e55ec commit 013edf9
Show file tree
Hide file tree
Showing 3 changed files with 4 additions and 1 deletion.
1 change: 1 addition & 0 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,7 @@
"node-fetch-commonjs": "^3.3.2",
"openapi-path-templating": "^1.5.1",
"qs": "^6.10.2",
"ramda-adjunct": "^5.0.0",
"traverse": "=0.6.8"
},
"overrides": {
Expand Down
3 changes: 2 additions & 1 deletion src/execute/index.js
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import cookie from 'cookie';
import { isPlainObject } from 'is-plain-object';
import { escapeRegExp } from 'ramda-adjunct';
import { ApiDOMStructuredError } from '@swagger-api/apidom-error';
import { url } from '@swagger-api/apidom-reference/configuration/empty';

Expand Down Expand Up @@ -353,7 +354,7 @@ function oas3BaseUrl({ spec, pathName, method, server, contextUrl, serverVariabl
const variableDefinition = selectedServerObj.variables[variable];
const variableValue = serverVariables[variable] || variableDefinition.default;

const re = new RegExp(`{${variable}}`, 'g');
const re = new RegExp(`{${escapeRegExp(variable)}}`, 'g');
selectedServerUrl = selectedServerUrl.replace(re, variableValue);
}
});
Expand Down

0 comments on commit 013edf9

Please sign in to comment.