loafle/openapi-generator
3
0
Fork 0
forked from loafle/openapi-generator-original
Code Pull Requests Activity

Ruby: Avoid double escaping path items (#3093)

Browse Source 
`URI.encode` is obsolete. `CGI.escape`, `URI.encode_www_form` or
`URI.encode_www_form_component` are recommended instead.
https://ruby-doc.org/stdlib-2.6/libdoc/uri/rdoc/URI/Escape.html#method-i-escape

URI.encode has different behaviour to CGI.escape:

```ruby
URI.encode('hello/world?test%string')
=> "hello/world?test%25string"
CGI.escape('hello/world?test%string')
=> "hello%2Fworld%3Ftest%25string"
```

I recently raised pull request #3039
201cbdce29

That pull request escapes path items at insertion.

Before either pull request, the path item 'hello?world' would go into
the URL as 'hello?world'. That behaviour was insecure as if an attacker
could control the path item value, they could change the URL the
application connected to.

After #3039 'hello?world' would go in as 'hello%253Fworld'. This was
safer than before, but it's still not correct.
If I'd realised at the time, I would have made it correct at the time.

What this pull request does is make it go in as 'hello%35world', which
is correct.

ApiClient::build_request_url was URI.encoding the whole path.
This wasn't protecting against all undesirable characters in the path
items, but was escaping % characters a 2nd time which was unhelpful.

I have additionally removed URI.encode from Configuration::base_url as I
can't see any benefit it could be bringing.
There is no justification for it in the commit where it was originally
added: 47c8597d36
This commit is contained in:
Chris Couzens
2019-06-05 11:54:23 +01:00
committed by Akira Tanimura
parent 66bf0dce9e
commit 4e9d226443
20 changed files with 6 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
modules/openapi-generator/src/main/resources/ruby-client/api.mustache vendored
View File

@@ -2,7 +2,6 @@
{{> api_info}}
=end
require 'uri'
require 'cgi'
module {{moduleName}}

3
modules/openapi-generator/src/main/resources/ruby-client/api_client.mustache vendored
View File

@@ -7,7 +7,6 @@ require 'json'
require 'logger'
require 'tempfile'
require 'typhoeus'
require 'uri'
module {{moduleName}}
class ApiClient
@@ -256,7 +255,7 @@ module {{moduleName}}
def build_request_url(path)
# Add leading and trailing slashes to path
path = "/#{path}".gsub(/\/+/, '/')
URI.encode(@config.base_url + path)
@config.base_url + path
end
# Builds the HTTP request body

5
modules/openapi-generator/src/main/resources/ruby-client/configuration.mustache vendored
View File

@@ -2,8 +2,6 @@
{{> api_info}}
=end
require 'uri'
module {{moduleName}}
class Configuration
# Defines url scheme
@@ -166,8 +164,7 @@ module {{moduleName}}
end
def base_url
url = "#{scheme}://#{[host, base_path].join('/').gsub(/\/+/, '/')}".sub(/\/+\z/, '')
URI.encode(url)
"#{scheme}://#{[host, base_path].join('/').gsub(/\/+/, '/')}".sub(/\/+\z/, '')
end
# Gets API key (with prefix if set).

1
samples/client/petstore/ruby/lib/petstore/api/another_fake_api.rb
View File

@@ -10,7 +10,6 @@ OpenAPI Generator version: 4.0.2-SNAPSHOT
=end
require 'uri'
require 'cgi'
module Petstore

1
samples/client/petstore/ruby/lib/petstore/api/fake_api.rb
View File

@@ -10,7 +10,6 @@ OpenAPI Generator version: 4.0.2-SNAPSHOT
=end
require 'uri'
require 'cgi'
module Petstore

1
samples/client/petstore/ruby/lib/petstore/api/fake_classname_tags123_api.rb
View File

@@ -10,7 +10,6 @@ OpenAPI Generator version: 4.0.2-SNAPSHOT
=end
require 'uri'
require 'cgi'
module Petstore

1
samples/client/petstore/ruby/lib/petstore/api/pet_api.rb
View File

@@ -10,7 +10,6 @@ OpenAPI Generator version: 4.0.2-SNAPSHOT
=end
require 'uri'
require 'cgi'
module Petstore

1
samples/client/petstore/ruby/lib/petstore/api/store_api.rb
View File

@@ -10,7 +10,6 @@ OpenAPI Generator version: 4.0.2-SNAPSHOT
=end
require 'uri'
require 'cgi'
module Petstore

1
samples/client/petstore/ruby/lib/petstore/api/user_api.rb
View File

@@ -10,7 +10,6 @@ OpenAPI Generator version: 4.0.2-SNAPSHOT
=end
require 'uri'
require 'cgi'
module Petstore

3
samples/client/petstore/ruby/lib/petstore/api_client.rb
View File

@@ -15,7 +15,6 @@ require 'json'
require 'logger'
require 'tempfile'
require 'typhoeus'
require 'uri'
module Petstore
class ApiClient
@@ -262,7 +261,7 @@ module Petstore
def build_request_url(path)
# Add leading and trailing slashes to path
path = "/#{path}".gsub(/\/+/, '/')
URI.encode(@config.base_url + path)
@config.base_url + path
end
# Builds the HTTP request body

5
samples/client/petstore/ruby/lib/petstore/configuration.rb
View File

@@ -10,8 +10,6 @@ OpenAPI Generator version: 4.0.2-SNAPSHOT
=end
require 'uri'
module Petstore
class Configuration
# Defines url scheme
@@ -174,8 +172,7 @@ module Petstore
end
def base_url
url = "#{scheme}://#{[host, base_path].join('/').gsub(/\/+/, '/')}".sub(/\/+\z/, '')
URI.encode(url)
"#{scheme}://#{[host, base_path].join('/').gsub(/\/+/, '/')}".sub(/\/+\z/, '')
end
# Gets API key (with prefix if set).

1
samples/openapi3/client/petstore/ruby/lib/petstore/api/another_fake_api.rb
View File

@@ -10,7 +10,6 @@ OpenAPI Generator version: 4.0.2-SNAPSHOT
=end
require 'uri'
require 'cgi'
module Petstore

1
samples/openapi3/client/petstore/ruby/lib/petstore/api/default_api.rb
View File

@@ -10,7 +10,6 @@ OpenAPI Generator version: 4.0.2-SNAPSHOT
=end
require 'uri'
require 'cgi'
module Petstore

1
samples/openapi3/client/petstore/ruby/lib/petstore/api/fake_api.rb
View File

@@ -10,7 +10,6 @@ OpenAPI Generator version: 4.0.2-SNAPSHOT
=end
require 'uri'
require 'cgi'
module Petstore

1
samples/openapi3/client/petstore/ruby/lib/petstore/api/fake_classname_tags123_api.rb
View File

@@ -10,7 +10,6 @@ OpenAPI Generator version: 4.0.2-SNAPSHOT
=end
require 'uri'
require 'cgi'
module Petstore

1
samples/openapi3/client/petstore/ruby/lib/petstore/api/pet_api.rb
View File

@@ -10,7 +10,6 @@ OpenAPI Generator version: 4.0.2-SNAPSHOT
=end
require 'uri'
require 'cgi'
module Petstore

1
samples/openapi3/client/petstore/ruby/lib/petstore/api/store_api.rb
View File

@@ -10,7 +10,6 @@ OpenAPI Generator version: 4.0.2-SNAPSHOT
=end
require 'uri'
require 'cgi'
module Petstore

1
samples/openapi3/client/petstore/ruby/lib/petstore/api/user_api.rb
View File

@@ -10,7 +10,6 @@ OpenAPI Generator version: 4.0.2-SNAPSHOT
=end
require 'uri'
require 'cgi'
module Petstore

3
samples/openapi3/client/petstore/ruby/lib/petstore/api_client.rb
View File

@@ -15,7 +15,6 @@ require 'json'
require 'logger'
require 'tempfile'
require 'typhoeus'
require 'uri'
module Petstore
class ApiClient
@@ -262,7 +261,7 @@ module Petstore
def build_request_url(path)
# Add leading and trailing slashes to path
path = "/#{path}".gsub(/\/+/, '/')
URI.encode(@config.base_url + path)
@config.base_url + path
end
# Builds the HTTP request body

5
samples/openapi3/client/petstore/ruby/lib/petstore/configuration.rb
View File

@@ -10,8 +10,6 @@ OpenAPI Generator version: 4.0.2-SNAPSHOT
=end
require 'uri'
module Petstore
class Configuration
# Defines url scheme
@@ -174,8 +172,7 @@ module Petstore
end
def base_url
url = "#{scheme}://#{[host, base_path].join('/').gsub(/\/+/, '/')}".sub(/\/+\z/, '')
URI.encode(url)
"#{scheme}://#{[host, base_path].join('/').gsub(/\/+/, '/')}".sub(/\/+\z/, '')
end
# Gets API key (with prefix if set).