From 80666394f671ec38f363732a16ed0fb284fd295c Mon Sep 17 00:00:00 2001 From: Scott Davis Date: Thu, 23 Jun 2016 06:06:21 -0700 Subject: [PATCH] CVE-2016-5641 --- .../codegen/languages/AbstractJavaCodegen.java | 14 ++++++++++++++ .../codegen/languages/JavascriptClientCodegen.java | 8 ++++++++ .../src/main/resources/php/api.mustache | 14 ++++++++------ .../src/main/resources/php/model.mustache | 10 ++++++---- .../src/main/resources/php/model_generic.mustache | 8 +++++--- .../src/main/resources/php/model_test.mustache | 5 +++-- .../src/main/resources/php/partial_header.mustache | 7 +++---- .../src/main/resources/ruby/api_info.mustache | 4 ++-- 8 files changed, 49 insertions(+), 21 deletions(-) diff --git a/modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/AbstractJavaCodegen.java b/modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/AbstractJavaCodegen.java index d8ac36e78bd..ef2222a76fc 100644 --- a/modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/AbstractJavaCodegen.java +++ b/modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/AbstractJavaCodegen.java @@ -722,6 +722,15 @@ public abstract class AbstractJavaCodegen extends DefaultCodegen implements Code } } + @Override + public CodegenOperation fromOperation(String path, String httpMethod, Operation operation, Map definitions, Swagger swagger) { + CodegenOperation op = super.fromOperation(path, httpMethod, operation, definitions, swagger); + + op.path = sanitizePath(op.path); + + return op; + } + private static CodegenModel reconcileInlineEnums(CodegenModel codegenModel, CodegenModel parentCodegenModel) { // This generator uses inline classes to define enums, which breaks when // dealing with models that have subTypes. To clean this up, we will analyze @@ -811,6 +820,11 @@ public abstract class AbstractJavaCodegen extends DefaultCodegen implements Code this.serializableModel = serializableModel; } + private String sanitizePath(String p) { + //prefer replace a ", instead of a fuLL URL encode for readability + return p.replaceAll("\"", "%22"); + } + public void setFullJavaUtil(boolean fullJavaUtil) { this.fullJavaUtil = fullJavaUtil; } diff --git a/modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/JavascriptClientCodegen.java b/modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/JavascriptClientCodegen.java index 6ecf9a89c0e..6f07a546c57 100644 --- a/modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/JavascriptClientCodegen.java +++ b/modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/JavascriptClientCodegen.java @@ -684,6 +684,9 @@ public class JavascriptClientCodegen extends DefaultCodegen implements CodegenCo op.returnType = normalizeType(op.returnType); } + //path is an unescaped variable in the mustache template api.mustache line 82 '<&path>' + op.path = sanitizePath(op.path); + // Set vendor-extension to be used in template: // x-codegen-hasMoreRequired // x-codegen-hasMoreOptional @@ -738,6 +741,11 @@ public class JavascriptClientCodegen extends DefaultCodegen implements CodegenCo return codegenModel; } + private String sanitizePath(String p) { + //prefer replace a ', instead of a fuLL URL encode for readability + return p.replaceAll("'", "%27"); + } + private String trimBrackets(String s) { if (s != null) { int beginIdx = s.charAt(0) == '[' ? 1 : 0; diff --git a/modules/swagger-codegen/src/main/resources/php/api.mustache b/modules/swagger-codegen/src/main/resources/php/api.mustache index 5fe25f05b5e..8212001d712 100644 --- a/modules/swagger-codegen/src/main/resources/php/api.mustache +++ b/modules/swagger-codegen/src/main/resources/php/api.mustache @@ -86,9 +86,10 @@ use \{{invokerPackage}}\ObjectSerializer; * Operation {{{operationId}}} * * {{{summary}}}. - * - {{#allParams}} * @param {{dataType}} ${{paramName}} {{description}} {{#required}}(required){{/required}}{{^required}}(optional{{#defaultValue}}, default to {{{.}}}{{/defaultValue}}){{/required}} - {{/allParams}} * + */ + {{#allParams}} // * @param {{dataType}} ${{paramName}} {{description}} {{#required}}(required){{/required}}{{^required}}(optional{{#defaultValue}}, default to {{{.}}}{{/defaultValue}}){{/required}} + {{/allParams}} + /** * @return {{#returnType}}{{{returnType}}}{{/returnType}}{{^returnType}}void{{/returnType}} * @throws \{{invokerPackage}}\ApiException on non-2xx response */ @@ -103,9 +104,10 @@ use \{{invokerPackage}}\ObjectSerializer; * Operation {{{operationId}}}WithHttpInfo * * {{{summary}}}. - * - {{#allParams}} * @param {{dataType}} ${{paramName}} {{description}} {{#required}}(required){{/required}}{{^required}}(optional{{#defaultValue}}, default to {{{.}}}{{/defaultValue}}){{/required}} - {{/allParams}} * + */ + {{#allParams}} // * @param {{dataType}} ${{paramName}} {{description}} {{#required}}(required){{/required}}{{^required}}(optional{{#defaultValue}}, default to {{{.}}}{{/defaultValue}}){{/required}} + {{/allParams}} + /** * @return Array of {{#returnType}}{{{returnType}}}{{/returnType}}{{^returnType}}null{{/returnType}}, HTTP status code, HTTP response headers (array of strings) * @throws \{{invokerPackage}}\ApiException on non-2xx response */ diff --git a/modules/swagger-codegen/src/main/resources/php/model.mustache b/modules/swagger-codegen/src/main/resources/php/model.mustache index 9fc2b620ddd..e462eb2429e 100644 --- a/modules/swagger-codegen/src/main/resources/php/model.mustache +++ b/modules/swagger-codegen/src/main/resources/php/model.mustache @@ -27,10 +27,11 @@ use \ArrayAccess; /** * {{classname}} Class Doc Comment * - * @category Class + * @category Class */ {{#description}} - * @description {{description}} + // @description {{description}} {{/description}} +/** * @package {{invokerPackage}} * @author http://github.com/swagger-api/swagger-codegen * @license http://www.apache.org/licenses/LICENSE-2.0 Apache Licene v2 @@ -258,8 +259,9 @@ class {{classname}} {{#parentSchema}}extends {{{parent}}} {{/parentSchema}}imple } /** - * Sets {{name}} - * @param {{datatype}} ${{name}}{{#description}} {{{description}}}{{/description}} + * Sets {{name}} */ + // * @param {{datatype}} ${{name}}{{#description}} {{{description}}}{{/description}} + /** * @return $this */ public function {{setter}}(${{name}}) diff --git a/modules/swagger-codegen/src/main/resources/php/model_generic.mustache b/modules/swagger-codegen/src/main/resources/php/model_generic.mustache index 22f97456e04..1babfb8c3a4 100644 --- a/modules/swagger-codegen/src/main/resources/php/model_generic.mustache +++ b/modules/swagger-codegen/src/main/resources/php/model_generic.mustache @@ -74,8 +74,9 @@ class {{classname}} {{#parent}}extends {{{parent}}} {{/parent}}implements ArrayA {{/isEnum}}{{/vars}} {{#vars}} + /**/ + //* ${{name}} {{#description}}{{{description}}}{{/description}} /** - * ${{name}} {{#description}}{{{description}}}{{/description}} * @var {{datatype}} */ protected ${{name}}{{#defaultValue}} = {{{defaultValue}}}{{/defaultValue}}; @@ -104,8 +105,9 @@ class {{classname}} {{#parent}}extends {{{parent}}} {{/parent}}implements ArrayA } /** - * Sets {{name}}. - * @param {{datatype}} ${{name}} {{#description}}{{{description}}}{{/description}} + * Sets {{name}}. */ + //* @param {{datatype}} ${{name}} {{#description}}{{{description}}}{{/description}} + /** * @return $this */ public function {{setter}}(${{name}}) diff --git a/modules/swagger-codegen/src/main/resources/php/model_test.mustache b/modules/swagger-codegen/src/main/resources/php/model_test.mustache index d7d93f32186..9f099afb93a 100644 --- a/modules/swagger-codegen/src/main/resources/php/model_test.mustache +++ b/modules/swagger-codegen/src/main/resources/php/model_test.mustache @@ -25,8 +25,9 @@ namespace {{modelPackage}}; /** * {{classname}}Test Class Doc Comment * - * @category Class - * @description {{#description}}{{description}}{{/description}}{{^description}}{{classname}}{{/description}} + * @category Class */ +// * @description {{#description}}{{description}}{{/description}}{{^description}}{{classname}}{{/description}} +/** * @package {{invokerPackage}} * @author http://github.com/swagger-api/swagger-codegen * @license http://www.apache.org/licenses/LICENSE-2.0 Apache Licene v2 diff --git a/modules/swagger-codegen/src/main/resources/php/partial_header.mustache b/modules/swagger-codegen/src/main/resources/php/partial_header.mustache index 61098d84563..6841085e938 100644 --- a/modules/swagger-codegen/src/main/resources/php/partial_header.mustache +++ b/modules/swagger-codegen/src/main/resources/php/partial_header.mustache @@ -2,12 +2,11 @@ {{#appName}} * {{{appName}}} * - {{/appName}} + {{/appName}} */ {{#appDescription}} - * {{{appDescription}}} - * +//* {{{appDescription}}} {{/appDescription}} - * {{#version}}OpenAPI spec version: {{{version}}}{{/version}} +/* {{#version}}OpenAPI spec version: {{{version}}}{{/version}} * {{#infoEmail}}Contact: {{{infoEmail}}}{{/infoEmail}} * Generated by: https://github.com/swagger-api/swagger-codegen.git * diff --git a/modules/swagger-codegen/src/main/resources/ruby/api_info.mustache b/modules/swagger-codegen/src/main/resources/ruby/api_info.mustache index 44d38c5cfad..2370d2c73e9 100644 --- a/modules/swagger-codegen/src/main/resources/ruby/api_info.mustache +++ b/modules/swagger-codegen/src/main/resources/ruby/api_info.mustache @@ -1,9 +1,9 @@ {{#appName}} -{{{appName}}} +#{{{appName}}} {{/appName}} {{#appDescription}} -{{{appDescription}}} +#{{{appDescription}}} {{/appDescription}} {{#version}}OpenAPI spec version: {{version}}{{/version}}