fix(security): replace regular expressions in path builders (#3504)

Refs #3503 --------- Co-authored-by: Vladimir Gorej <vladimir.gorej@gmail.com>
swagger-api · May 8, 2024 · 642a87c · 642a87c
1 parent 10cbc2e
commit 642a87c
Show file tree

Hide file tree

Showing 6 changed files with 52 additions and 16 deletions.
diff --git a/config/webpack/browser.config.babel.js b/config/webpack/browser.config.babel.js
@@ -63,7 +63,7 @@ const browserMin = {
   devtool: 'source-map',
   performance: {
     hints: 'error',
-    maxEntrypointSize: 440000,
+    maxEntrypointSize: 460000,
     maxAssetSize: 50000000,
   },
   output: {

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -122,6 +122,7 @@
     "js-yaml": "^4.1.0",
     "node-abort-controller": "^3.1.1",
     "node-fetch-commonjs": "^3.3.2",
+    "openapi-path-templating": "^1.5.1",
     "qs": "^6.10.2",
     "traverse": "=0.6.8"
   },

diff --git a/src/execute/index.js b/src/execute/index.js
@@ -265,6 +265,7 @@ export function buildRequest(options) {
         value,
         operation,
         spec,
+        pathName,
       });
     }
   });

diff --git a/src/execute/oas3/parameter-builders.js b/src/execute/oas3/parameter-builders.js
@@ -1,28 +1,41 @@
+import { resolve as resolvePathTemplate } from 'openapi-path-templating';
+
 import stylize, { encodeCharacters } from './style-serializer.js';
 import serialize from './content-serializer.js';
 
-export function path({ req, value, parameter }) {
+export function path({ req, value, parameter, pathName }) {
   const { name, style, explode, content } = parameter;
 
   if (value === undefined) return;
 
+  let resolvedPathname;
+
   if (content) {
     const effectiveMediaType = Object.keys(content)[0];
 
-    req.url = req.url
-      .split(`{${name}}`)
-      .join(encodeCharacters(serialize(value, effectiveMediaType)));
+    resolvedPathname = resolvePathTemplate(
+      pathName,
+      { [name]: value },
+      { encoder: (val) => encodeCharacters(serialize(val, effectiveMediaType)) }
+    );
   } else {
-    const styledValue = stylize({
-      key: parameter.name,
-      value,
-      style: style || 'simple',
-      explode: explode || false,
-      escape: 'reserved',
-    });
-
-    req.url = req.url.replace(new RegExp(`{${name}}`, 'g'), styledValue);
+    resolvedPathname = resolvePathTemplate(
+      pathName,
+      { [name]: value },
+      {
+        encoder: (val) =>
+          stylize({
+            key: parameter.name,
+            value: val,
+            style: style || 'simple',
+            explode: explode || false,
+            escape: 'reserved',
+          }),
+      }
+    );
   }
+
+  req.url = req.url.replace(pathName, resolvedPathname);
 }
 
 export function query({ req, value, parameter }) {

diff --git a/src/execute/swagger2/parameter-builders.js b/src/execute/swagger2/parameter-builders.js
@@ -1,3 +1,5 @@
+import { resolve as resolvePathTemplate } from 'openapi-path-templating';
+
 // These functions will update the request.
 // They'll be given {req, value, paramter, spec, operation}.
 
@@ -49,9 +51,11 @@ function headerBuilder({ req, parameter, value }) {
 }
 
 // Replace path paramters, with values ( ie: the URL )
-function pathBuilder({ req, value, parameter }) {
+function pathBuilder({ req, value, parameter, pathName }) {
   if (value !== undefined) {
-    req.url = req.url.replace(new RegExp(`{${parameter.name}}`, 'g'), encodeURIComponent(value));
+    const resolvedPathname = resolvePathTemplate(pathName, { [parameter.name]: value });
+
+    req.url = req.url.replace(pathName, resolvedPathname);
   }
 }