Skip to content

STOP-1246 security fix changes #2806

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
SB-venkatyadavilli wants to merge 10 commits into
base: main
Choose a base branch
from
Open

STOP-1246 security fix changes #2806

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
d4e13aa
added dompurify for sanitization
prafullaAtSB Dec 13, 2024
504fe5e
fix: fix: sanitize path with DOMPurify lib
SB-harshitajadhav Dec 13, 2024
7304669
chore(deps): elements version bump up
SB-harshitajadhav Dec 17, 2024
4375d7f
Merge branch 'fix/sec-1046' of https://github.com/stoplightio/element…
SB-venkatyadavilli Jun 26, 2025
67d1165
chore(deps): bump up elements versions.
SB-venkatyadavilli Jun 26, 2025
faef48d
Merge branch 'main' of https://github.com/stoplightio/elements into f…
SB-venkatyadavilli Jul 21, 2025
0a6f0c4
chore(deps): bump up elements,elemets-dev-portal and elements-core ve…
SB-venkatyadavilli Jul 22, 2025
02bea70
fix: Have moved domPurify package from global to elements-core packag…
SB-venkatyadavilli Jul 22, 2025
7ebc298
fix:removed package-lock.json
SB-venkatyadavilli Jul 22, 2025
edbfad9
fix: added dependencies property to package.json
SB-venkatyadavilli Jul 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,5 +126,7 @@
"@commitlint/config-conventional"
]
},
"dependencies": {}
"dependencies": {
"dompurify": "^3.2.3"
}
}
2 changes: 1 addition & 1 deletion packages/elements-core/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@stoplight/elements-core",
"version": "9.0.6",
"version": "9.0.7",
"sideEffects": [
"web-components.min.js",
"src/web-components/**",
Expand Down
10 changes: 7 additions & 3 deletions packages/elements-core/src/components/TryIt/build-request.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import { Dictionary, HttpParamStyles, IHttpOperation, IMediaTypeContent, IServer } from '@stoplight/types';
import DOMPurify from 'dompurify';
import { Request as HarRequest } from 'har-format';

import { getServerUrlWithVariableValues, resolveUrl } from '../../utils/http-spec/IServer';
Expand Down Expand Up @@ -144,20 +145,23 @@ export async function buildFetchRequest({
credentials = 'omit',
corsProxy,
}: BuildRequestInput): Promise<Parameters<typeof fetch>> {
const sanitizedParameterValues = Object.fromEntries(
Object.entries(parameterValues).map(([key, value]) => [key, DOMPurify.sanitize(value)]),
);
const serverUrl = getServerUrl({ httpOperation, mockData, chosenServer, corsProxy, serverVariableValues });

const shouldIncludeBody =
['PUT', 'POST', 'PATCH'].includes(httpOperation.method.toUpperCase()) && bodyInput !== undefined;

const queryParams = getQueryParams({ httpOperation, parameterValues });
const queryParams = getQueryParams({ httpOperation, parameterValues: sanitizedParameterValues });

const rawHeaders = filterOutAuthorizationParams(httpOperation.request?.headers ?? [], httpOperation.security)
.map(header => ({ name: header.name, value: parameterValues[header.name] ?? '' }))
.map(header => ({ name: header.name, value: sanitizedParameterValues[header.name] ?? '' }))
.filter(({ value }) => value.length > 0);

const [queryParamsWithAuth, headersWithAuth] = runAuthRequestEhancements(auth, queryParams, rawHeaders);

const expandedPath = uriExpand(httpOperation.path, parameterValues);
const expandedPath = uriExpand(httpOperation.path, sanitizedParameterValues);

// urlObject is concatenated this way to avoid /user and /user/ endpoint edge cases
const urlObject = new URL(serverUrl + expandedPath);
Expand Down
4 changes: 2 additions & 2 deletions packages/elements-dev-portal/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@stoplight/elements-dev-portal",
"version": "3.0.6",
"version": "3.0.7",
"description": "UI components for composing beautiful developer documentation.",
"keywords": [],
"sideEffects": [
Expand Down Expand Up @@ -66,7 +66,7 @@
"dependencies": {
"@stoplight/markdown-viewer": "^5.7.1",
"@stoplight/mosaic": "^1.53.4",
"@stoplight/elements-core": "~9.0.6",
"@stoplight/elements-core": "~9.0.7",
"@stoplight/path": "^1.3.2",
"@stoplight/types": "^14.0.0",
"classnames": "^2.2.6",
Expand Down
6 changes: 3 additions & 3 deletions packages/elements/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@stoplight/elements",
"version": "9.0.6",
"version": "9.0.7",
"description": "UI components for composing beautiful developer documentation.",
"keywords": [],
"sideEffects": [
Expand Down Expand Up @@ -63,7 +63,7 @@
]
},
"dependencies": {
"@stoplight/elements-core": "~9.0.4",
"@stoplight/elements-core": "~9.0.7",
"@stoplight/http-spec": "^7.1.0",
"@stoplight/json": "^3.18.1",
"@stoplight/mosaic": "^1.53.4",
Expand Down Expand Up @@ -109,4 +109,4 @@
"release": {
"extends": "@stoplight/scripts/release"
}
}
}
12 changes: 12 additions & 0 deletions yarn.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7682,6 +7682,11 @@
dependencies:
"@types/jest" "*"

"@types/trusted-types@^2.0.7":
version "2.0.7"
resolved "https://registry.yarnpkg.com/@types/trusted-types/-/trusted-types-2.0.7.tgz#baccb07a970b91707df3a3e8ba6896c57ead2d11"
integrity sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==

"@types/type-is@^1.6.3":
version "1.6.3"
resolved "https://registry.npmjs.org/@types/type-is/-/type-is-1.6.3.tgz"
Expand Down Expand Up @@ -10888,6 +10893,13 @@ domhandler@^4.0.0, domhandler@^4.2.0:
dependencies:
domelementtype "^2.2.0"

dompurify@^3.2.3:
version "3.2.3"
resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.2.3.tgz#05dd2175225324daabfca6603055a09b2382a4cd"
integrity sha512-U1U5Hzc2MO0oW3DF+G9qYN0aT7atAou4AgI0XjWz061nyBPbdxkfdhfy5uMgGn6+oLFCfn44ZGbdDqCzVmlOWA==
optionalDependencies:
"@types/trusted-types" "^2.0.7"

domutils@^2.5.2, domutils@^2.6.0, domutils@^2.7.0:
version "2.8.0"
resolved "https://registry.npmjs.org/domutils/-/domutils-2.8.0.tgz"
Expand Down