avoid code injection in php api client

2016-06-27 21:51:27 +08:00
parent 31092585f0
commit 1638adb79e
49 changed files with 608 additions and 599 deletions
--- a/modules/swagger-codegen/src/main/java/io/swagger/codegen/CodegenConfig.java
+++ b/modules/swagger-codegen/src/main/java/io/swagger/codegen/CodegenConfig.java
@@ -57,6 +57,8 @@ public interface CodegenConfig {

    String escapeText(String text);

+    String escapeUnsafeCharacters(String input);
+
    String escapeReservedWord(String name);

    String getTypeDeclaration(Property p);
--- a/modules/swagger-codegen/src/main/java/io/swagger/codegen/DefaultCodegen.java
+++ b/modules/swagger-codegen/src/main/java/io/swagger/codegen/DefaultCodegen.java
@@ -330,13 +330,29 @@ public class DefaultCodegen {
    // override with any special text escaping logic
    @SuppressWarnings("static-method")
    public String escapeText(String input) {
-        if (input != null) {
-            // remove \t, \n, \r
-            // repalce \ with \\
-            // repalce " with \"
-            // outter unescape to retain the original multi-byte characters
-            return StringEscapeUtils.unescapeJava(StringEscapeUtils.escapeJava(input).replace("\\/", "/")).replaceAll("[\\t\\n\\r]"," ").replace("\\", "\\\\").replace("\"", "\\\"");
+        if (input == null) {
+            return input;
        }
+
+        // remove \t, \n, \r
+        // repalce \ with \\
+        // repalce " with \"
+        // outter unescape to retain the original multi-byte characters
+        // finally escalate characters avoiding code injection
+        return escapeUnsafeCharacters(StringEscapeUtils.unescapeJava(StringEscapeUtils.escapeJava(input).replace("\\/", "/")).replaceAll("[\\t\\n\\r]"," ").replace("\\", "\\\\").replace("\"", "\\\""));
+    }
+
+    /**
+     * override with any special text escaping logic to handle unsafe
+     * characters so as to avoid code injection
+     * @param input String to be cleaned up
+     * @return string with unsafe characters removed or escaped
+     */
+    public String escapeUnsafeCharacters(String input) {
+        // doing nothing by default and code generator should implement
+        // the logic to prevent code injection
+        // later we'll make this method abstract to make sure
+        // code generator implements this method
        return input;
    }

--- a/modules/swagger-codegen/src/main/java/io/swagger/codegen/DefaultGenerator.java
+++ b/modules/swagger-codegen/src/main/java/io/swagger/codegen/DefaultGenerator.java
@@ -144,10 +144,10 @@ public class DefaultGenerator extends AbstractGenerator implements Generator {
        if (swagger.getInfo() != null) {
            Info info = swagger.getInfo();
            if (info.getTitle() != null) {
-                config.additionalProperties().put("appName", info.getTitle());
+                config.additionalProperties().put("appName", config.escapeText(info.getTitle()));
            }
            if (info.getVersion() != null) {
-                config.additionalProperties().put("appVersion", info.getVersion());
+                config.additionalProperties().put("appVersion", config.escapeText(info.getVersion()));
            }
            if (info.getDescription() != null) {
                config.additionalProperties().put("appDescription",
@@ -155,25 +155,25 @@ public class DefaultGenerator extends AbstractGenerator implements Generator {
            }
            if (info.getContact() != null) {
                Contact contact = info.getContact();
-                config.additionalProperties().put("infoUrl", contact.getUrl());
+                config.additionalProperties().put("infoUrl", config.escapeText(contact.getUrl()));
                if (contact.getEmail() != null) {
-                    config.additionalProperties().put("infoEmail", contact.getEmail());
+                    config.additionalProperties().put("infoEmail", config.escapeText(contact.getEmail()));
                }
            }
            if (info.getLicense() != null) {
                License license = info.getLicense();
                if (license.getName() != null) {
-                    config.additionalProperties().put("licenseInfo", license.getName());
+                    config.additionalProperties().put("licenseInfo", config.escapeText(license.getName()));
                }
                if (license.getUrl() != null) {
-                    config.additionalProperties().put("licenseUrl", license.getUrl());
+                    config.additionalProperties().put("licenseUrl", config.escapeText(license.getUrl()));
                }
            }
            if (info.getVersion() != null) {
-                config.additionalProperties().put("version", info.getVersion());
+                config.additionalProperties().put("version", config.escapeText(info.getVersion()));
            }
            if (info.getTermsOfService() != null) {
-                config.additionalProperties().put("termsOfService", info.getTermsOfService());
+                config.additionalProperties().put("termsOfService", config.escapeText(info.getTermsOfService()));
            }
        }
        
@@ -184,7 +184,7 @@ public class DefaultGenerator extends AbstractGenerator implements Generator {
        StringBuilder hostBuilder = new StringBuilder();
        String scheme;
        if (swagger.getSchemes() != null && swagger.getSchemes().size() > 0) {
-            scheme = swagger.getSchemes().get(0).toValue();
+            scheme = config.escapeText(swagger.getSchemes().get(0).toValue());
        } else {
            scheme = "https";
        }
--- a/modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/PhpClientCodegen.java
+++ b/modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/PhpClientCodegen.java
@@ -662,4 +662,10 @@ public class PhpClientCodegen extends DefaultCodegen implements CodegenConfig {
        }
        return objs;
    }
+
+    @Override
+    public String escapeUnsafeCharacters(String input) {
+        return input.replace("*/", "");
+    }
+
 }