better handle of single quote to avoid code injectio in php

2016-06-28 00:54:06 +08:00
parent 1638adb79e
commit ebd6ffaa4c
44 changed files with 187 additions and 169 deletions
--- a/modules/swagger-codegen/src/main/java/io/swagger/codegen/CodegenConfig.java
+++ b/modules/swagger-codegen/src/main/java/io/swagger/codegen/CodegenConfig.java
@@ -61,6 +61,8 @@ public interface CodegenConfig {

    String escapeReservedWord(String name);

+    String escapeQuotationMark(String input);
+
    String getTypeDeclaration(Property p);

    String getTypeDeclaration(String name);
--- a/modules/swagger-codegen/src/main/java/io/swagger/codegen/DefaultCodegen.java
+++ b/modules/swagger-codegen/src/main/java/io/swagger/codegen/DefaultCodegen.java
@@ -335,8 +335,8 @@ public class DefaultCodegen {
        }

        // remove \t, \n, \r
-        // repalce \ with \\
-        // repalce " with \"
+        // replace \ with \\
+        // replace " with \"
        // outter unescape to retain the original multi-byte characters
        // finally escalate characters avoiding code injection
        return escapeUnsafeCharacters(StringEscapeUtils.unescapeJava(StringEscapeUtils.escapeJava(input).replace("\\/", "/")).replaceAll("[\\t\\n\\r]"," ").replace("\\", "\\\\").replace("\"", "\\\""));
@@ -356,6 +356,16 @@ public class DefaultCodegen {
        return input;
    }

+    /**
+     * Escape single and/or double quote to avoid code injection 
+     * @param input String to be cleaned up
+     * @return string with quotation mark removed or escaped
+     */
+    public String escapeQuotationMark(String input) {
+        LOGGER.info("### calling default escapeText");
+        return input.replace("\"", "\\\"");
+    }
+
    public Set<String> defaultIncludes() {
        return defaultIncludes;
    }
@@ -1763,7 +1773,7 @@ public class DefaultCodegen {
            int count = 0;
            for (String key : consumes) {
                Map<String, String> mediaType = new HashMap<String, String>();
-                mediaType.put("mediaType", key);
+                mediaType.put("mediaType", escapeQuotationMark(key));
                count += 1;
                if (count < consumes.size()) {
                    mediaType.put("hasMore", "true");
--- a/modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/PhpClientCodegen.java
+++ b/modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/PhpClientCodegen.java
@@ -663,6 +663,12 @@ public class PhpClientCodegen extends DefaultCodegen implements CodegenConfig {
        return objs;
    }

+    @Override
+    public String escapeQuotationMark(String input) {
+        // remove ' to avoid code injection
+        return input.replace("'", "");
+    }
+
    @Override
    public String escapeUnsafeCharacters(String input) {
        return input.replace("*/", "");