Merge pull request #3246 from wing328/security_fix_javascript_closure

[Javascript][Closure] better code injection handling for Javascript (closure)API client
2016-06-29 23:25:04 +08:00
parent 90857e8988 f89333c8c3
commit cb53ea114a
6 changed files with 387 additions and 0 deletions
--- a/modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/JavascriptClosureAngularClientCodegen.java
+++ b/modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/JavascriptClosureAngularClientCodegen.java
@@ -104,6 +104,9 @@ public class JavascriptClosureAngularClientCodegen extends DefaultCodegen implem

    @Override
    public String toVarName(String name) {
+        // sanitize name
+        name = sanitizeName(name); 
+
        // replace - with _ e.g. created-at => created_at
        name = name.replaceAll("-", "_");

@@ -224,4 +227,34 @@ public class JavascriptClosureAngularClientCodegen extends DefaultCodegen implem
        return objs;
    }

+    @Override
+    public String toOperationId(String operationId) {
+        // throw exception if method name is empty
+        if (StringUtils.isEmpty(operationId)) {
+            throw new RuntimeException("Empty method/operation name (operationId) not allowed");
+        }
+
+        operationId = camelize(sanitizeName(operationId), true);
+
+        // method name cannot use reserved keyword, e.g. return
+        if (isReservedWord(operationId)) {
+            String newOperationId = camelize("call_" + operationId, true);
+            LOGGER.warn(operationId + " (reserved word) cannot be used as method name. Renamed to " + newOperationId);
+            return newOperationId;
+        }
+
+        return operationId;
+    }
+
+    @Override
+    public String escapeQuotationMark(String input) {
+        // remove ', " to avoid code injection
+        return input.replace("\"", "").replace("'", "");
+    }
+
+    @Override
+    public String escapeUnsafeCharacters(String input) {
+        return input.replace("*/", "");
+    }
+
 }