Merge pull request #3249 from wing328/csharp_security_fix

[C#] better code injection handling for C# API client

Author: wing328

bin/security/csharp-petstore.sh

@@ -0,0 +1,31 @@
+#!/bin/sh
+
+SCRIPT="$0"
+
+while [ -h "$SCRIPT" ] ; do
+  ls=`ls -ld "$SCRIPT"`
+  link=`expr "$ls" : '.*-> \(.*\)$'`
+  if expr "$link" : '/.*' > /dev/null; then
+    SCRIPT="$link"
+  else
+    SCRIPT=`dirname "$SCRIPT"`/"$link"
+  fi
+done
+
+if [ ! -d "${APP_DIR}" ]; then
+  APP_DIR=`dirname "$SCRIPT"`/..
+  APP_DIR=`cd "${APP_DIR}"; pwd`
+fi
+
+executable="./modules/swagger-codegen-cli/target/swagger-codegen-cli.jar"
+
+if [ ! -f "$executable" ]
+then
+  mvn clean package
+fi
+
+# if you've executed sbt assembly previously it will use that instead.
+export JAVA_OPTS="${JAVA_OPTS} -XX:MaxPermSize=256M -Xmx1024M -DloggerPath=conf/log4j.properties"
+ags="$@ generate -i modules/swagger-codegen/src/test/resources/2_0/petstore-security-test.yaml -l csharp -o samples/client/petstore-security-test/csharp/SwaggerClient"
+
+java $JAVA_OPTS -jar $executable $ags

modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/AbstractCSharpCodegen.java

@@ -656,4 +656,16 @@ public String toEnumName(CodegenProperty property) {
     public String testPackageName() {
         return this.packageName + ".Test";
     }
+
+    @Override
+    public String escapeQuotationMark(String input) {
+        // remove " to avoid code injection
+        return input.replace("\"", "");
+    }
+
+    @Override
+    public String escapeUnsafeCharacters(String input) {
+        return input.replace("*/", "");
+    }
+
 }

modules/swagger-codegen/src/main/resources/aspnet5/controller.mustache

@@ -16,7 +16,7 @@ namespace {{packageName}}.Controllers
     /// <summary>
     /// {{description}}
     /// </summary>{{#description}}{{#basePath}}
-    [Route("{{basePath}}")]
+    [Route("{{{basePath}}}")]
     {{/basePath}}[Description("{{description}}")]{{/description}}
     public class {{classname}}Controller : Controller
     { {{#operation}}

modules/swagger-codegen/src/main/resources/csharp/ApiClient.mustache

@@ -41,17 +41,17 @@ namespace {{packageName}}.Client
 
         /// <summary>
         /// Initializes a new instance of the <see cref="ApiClient" /> class
-        /// with default configuration and base path ({{basePath}}).
+        /// with default configuration and base path ({{{basePath}}}).
         /// </summary>
         public ApiClient()
         {
             Configuration = Configuration.Default;
-            RestClient = new RestClient("{{basePath}}");
+            RestClient = new RestClient("{{{basePath}}}");
         }
 
         /// <summary>
         /// Initializes a new instance of the <see cref="ApiClient" /> class
-        /// with default base path ({{basePath}}).
+        /// with default base path ({{{basePath}}}).
         /// </summary>
         /// <param name="config">An instance of Configuration.</param>
         public ApiClient(Configuration config = null)
@@ -61,15 +61,15 @@ namespace {{packageName}}.Client
             else
                 Configuration = config;
 
-            RestClient = new RestClient("{{basePath}}");
+            RestClient = new RestClient("{{{basePath}}}");
         }
 
         /// <summary>
         /// Initializes a new instance of the <see cref="ApiClient" /> class
         /// with default configuration.
         /// </summary>
         /// <param name="basePath">The base path.</param>
-        public ApiClient(String basePath = "{{basePath}}")
+        public ApiClient(String basePath = "{{{basePath}}}")
         {
            if (String.IsNullOrEmpty(basePath))
                 throw new ArgumentException("basePath cannot be empty");

modules/swagger-codegen/src/main/resources/csharp/Configuration.mustache

@@ -281,16 +281,16 @@ namespace {{packageName}}.Client
         /// </summary>
         public static String ToDebugReport()
         {
-            String report = "C# SDK ({{packageName}}) Debug Report:\n";
+            String report = "C# SDK ({{{packageName}}}) Debug Report:\n";
             {{^supportsUWP}}
             report += "    OS: " + Environment.OSVersion + "\n";
             report += "    .NET Framework Version: " + Assembly
                      .GetExecutingAssembly()
                      .GetReferencedAssemblies()
                      .Where(x => x.Name == "System.Core").First().Version.ToString()  + "\n";
             {{/supportsUWP}}
-            report += "    Version of the API: {{version}}\n";
-            report += "    SDK Package Version: {{packageVersion}}\n";
+            report += "    Version of the API: {{{version}}}\n";
+            report += "    SDK Package Version: {{{packageVersion}}}\n";
 
             return report;
         }

modules/swagger-codegen/src/main/resources/csharp/README.mustache

@@ -107,7 +107,7 @@ namespace Example
 
 ## Documentation for API Endpoints
 
-All URIs are relative to *{{basePath}}*
+All URIs are relative to *{{{basePath}}}*
 
 Class | Method | HTTP request | Description
 ------------ | ------------- | ------------- | -------------

modules/swagger-codegen/src/main/resources/csharp/api_doc.mustache

@@ -1,7 +1,7 @@
 # {{packageName}}.Api.{{classname}}{{#description}}
 {{description}}{{/description}}
 
-All URIs are relative to *{{basePath}}*
+All URIs are relative to *{{{basePath}}}*
 
 Method | HTTP request | Description
 ------------- | ------------- | -------------

samples/client/petstore-security-test/csharp/SwaggerClient/.gitignore

@@ -0,0 +1,185 @@
+# Ref: https://gist.github.com/kmorcinek/2710267
+# Download this file using PowerShell v3 under Windows with the following comand
+# Invoke-WebRequest https://gist.githubusercontent.com/kmorcinek/2710267/raw/ -OutFile .gitignore
+
+# User-specific files
+*.suo
+*.user
+*.sln.docstates
+
+# Build results
+
+[Dd]ebug/
+[Rr]elease/
+x64/
+build/
+[Bb]in/
+[Oo]bj/
+
+# NuGet Packages
+*.nupkg
+# The packages folder can be ignored because of Package Restore
+**/packages/*
+# except build/, which is used as an MSBuild target.
+!**/packages/build/
+# Uncomment if necessary however generally it will be regenerated when needed
+#!**/packages/repositories.config
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+*_i.c
+*_p.c
+*.ilk
+*.meta
+*.obj
+*.pch
+*.pdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.log
+*.scc
+
+# OS generated files #
+.DS_Store*
+ehthumbs.db
+Icon?
+Thumbs.db
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opensdf
+*.sdf
+*.cachefile
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# NCrunch
+*.ncrunch*
+.*crunch*.local.xml
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.Publish.xml
+
+# Windows Azure Build Output
+csx
+*.build.csdef
+
+# Windows Store app package directory
+AppPackages/
+
+# Others
+sql/
+*.Cache
+ClientBin/
+[Ss]tyle[Cc]op.*
+~$*
+*~
+*.dbmdl
+*.[Pp]ublish.xml
+*.pfx
+*.publishsettings
+modulesbin/
+tempbin/
+
+# EPiServer Site file (VPP)
+AppData/
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file to a newer
+# Visual Studio version. Backup files are not needed, because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+
+# vim
+*.txt~
+*.swp
+*.swo
+
+ # svn
+ .svn
+
+ # SQL Server files
+ **/App_Data/*.mdf
+ **/App_Data/*.ldf
+ **/App_Data/*.sdf
+
+
+ #LightSwitch generated files
+ GeneratedArtifacts/
+ _Pvt_Extensions/
+ ModelManifest.xml
+
+ # =========================
+ # Windows detritus
+ # =========================
+
+ # Windows image file caches
+ Thumbs.db
+ ehthumbs.db
+
+ # Folder config file
+ Desktop.ini
+
+ # Recycle Bin used on file shares
+ $RECYCLE.BIN/
+
+ # Mac desktop service store files
+ .DS_Store
+
+ # SASS Compiler cache
+ .sass-cache
+
+ # Visual Studio 2014 CTP
+ **/*.sln.ide

samples/client/petstore-security-test/csharp/SwaggerClient/.swagger-codegen-ignore

@@ -0,0 +1,23 @@
+# Swagger Codegen Ignore
+# Generated by swagger-codegen https://github.com/swagger-api/swagger-codegen
+
+# Use this file to prevent files from being overwritten by the generator.
+# The patterns follow closely to .gitignore or .dockerignore.
+
+# As an example, the C# client generator defines ApiClient.cs.
+# You can make changes and tell Swagger Codgen to ignore just this file by uncommenting the following line:
+#ApiClient.cs
+
+# You can match any string of characters against a directory, file or extension with a single asterisk (*):
+#foo/*/qux
+# The above matches foo/bar/qux and foo/baz/qux, but not foo/bar/baz/qux
+
+# You can recursively match patterns against a directory, file or extension with a double asterisk (**):
+#foo/**/qux
+# This matches foo/bar/qux, foo/baz/qux, and foo/bar/baz/qux
+
+# You can also negate patterns with an exclamation (!).
+# For example, you can ignore all files in a docs folder with the file extension .md:
+#docs/*.md
+# Then explicitly reverse the ignore rule for a single file:
+#!docs/README.md

samples/client/petstore-security-test/csharp/SwaggerClient/.travis.yml

@@ -0,0 +1,21 @@
+#
+# Generated by: https://github.com/swagger-api/swagger-codegen.git
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+language: csharp
+mono:
+  - latest
+solution: IO.Swagger.sln
+script:
+  - /bin/sh ./mono_nunit_test.sh