Merge pull request #3237 from wing328/java-security-fix

[Java] Better code injection handling for Java-related generators

Author: wing328

bin/security/java-petstore-okhttp-gson.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+
+SCRIPT="$0"
+
+while [ -h "$SCRIPT" ] ; do
+  ls=`ls -ld "$SCRIPT"`
+  link=`expr "$ls" : '.*-> \(.*\)$'`
+  if expr "$link" : '/.*' > /dev/null; then
+    SCRIPT="$link"
+  else
+    SCRIPT=`dirname "$SCRIPT"`/"$link"
+  fi
+done
+
+if [ ! -d "${APP_DIR}" ]; then
+  APP_DIR=`dirname "$SCRIPT"`/..
+  APP_DIR=`cd "${APP_DIR}"; pwd`
+fi
+
+executable="./modules/swagger-codegen-cli/target/swagger-codegen-cli.jar"
+
+if [ ! -f "$executable" ]
+then
+  mvn clean package
+fi
+
+# if you've executed sbt assembly previously it will use that instead.
+export JAVA_OPTS="${JAVA_OPTS} -XX:MaxPermSize=256M -Xmx1024M -DloggerPath=conf/log4j.properties"
+ags="$@ generate -t modules/swagger-codegen/src/main/resources/Java/libraries/okhttp-gson -i modules/swagger-codegen/src/test/resources/2_0/petstore-security-test.yaml -l java -c bin/java-petstore-okhttp-gson.json -o samples/client/petstore-security-test/java/okhttp-gson -DhideGenerationTimestamp=true"
+
+rm -rf samples/client/petstore-security-test/java/okhttp-gson/src/main
+find samples/client/petstore-security-test/java/okhttp-gson -maxdepth 1 -type f ! -name "README.md" -exec rm {} +
+java $JAVA_OPTS -jar $executable $ags

modules/swagger-codegen/src/main/java/io/swagger/codegen/DefaultGenerator.java

@@ -188,6 +188,7 @@ public List<File> generate() {
         } else {
             scheme = "https";
         }
+        scheme = config.escapeText(scheme);
         hostBuilder.append(scheme);
         hostBuilder.append("://");
         if (swagger.getHost() != null) {
@@ -198,9 +199,9 @@ public List<File> generate() {
         if (swagger.getBasePath() != null) {
             hostBuilder.append(swagger.getBasePath());
         }
-        String contextPath = swagger.getBasePath() == null ? "" : swagger.getBasePath();
-        String basePath = hostBuilder.toString();
-        String basePathWithoutHost = swagger.getBasePath();
+        String contextPath = config.escapeText(swagger.getBasePath() == null ? "" : swagger.getBasePath());
+        String basePath = config.escapeText(hostBuilder.toString());
+        String basePathWithoutHost = config.escapeText(swagger.getBasePath());
 
         // resolve inline models
         InlineModelResolver inlineModelResolver = new InlineModelResolver();

modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/AbstractJavaCodegen.java

@@ -833,4 +833,16 @@ public void setFullJavaUtil(boolean fullJavaUtil) {
     public void setDateLibrary(String library) {
         this.dateLibrary = library;
     }
+
+    @Override
+    public String escapeQuotationMark(String input) {
+        // remove " to avoid code injection
+        return input.replace("\"", "");
+    }
+
+    @Override
+    public String escapeUnsafeCharacters(String input) {
+        return input.replace("*/", "");
+    }
+
 }

modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/JavaClientCodegen.java

@@ -211,4 +211,5 @@ public Map<String, Object> postProcessModelsEnum(Map<String, Object> objs) {
     public void setUseRxJava(boolean useRxJava) {
         this.useRxJava = useRxJava;
     }
+
 }

modules/swagger-codegen/src/main/resources/Java/libraries/feign/ApiClient.mustache

@@ -29,7 +29,7 @@ public class ApiClient {
   public interface Api {}
 
   protected ObjectMapper objectMapper;
-  private String basePath = "{{basePath}}";
+  private String basePath = "{{{basePath}}}";
   private Map<String, RequestInterceptor> apiAuthorizations;
   private Feign.Builder feignBuilder;
 

modules/swagger-codegen/src/main/resources/Java/libraries/jersey2/ApiClient.mustache

@@ -51,7 +51,7 @@ import {{invokerPackage}}.auth.OAuth;
 {{>generatedAnnotation}}
 public class ApiClient {
   private Map<String, String> defaultHeaderMap = new HashMap<String, String>();
-  private String basePath = "{{basePath}}";
+  private String basePath = "{{{basePath}}}";
   private boolean debugging = false;
   private int connectionTimeout = 0;
 

modules/swagger-codegen/src/main/resources/Java/libraries/okhttp-gson/ApiClient.mustache

@@ -101,7 +101,7 @@ public class ApiClient {
      */
     public static final String LENIENT_DATETIME_FORMAT = "yyyy-MM-dd'T'HH:mm:ss.SSSZ";
 
-    private String basePath = "{{basePath}}";
+    private String basePath = "{{{basePath}}}";
     private boolean lenientOnJson = false;
     private boolean debugging = false;
     private Map<String, String> defaultHeaderMap = new HashMap<String, String>();
@@ -169,7 +169,7 @@ public class ApiClient {
     /**
      * Set base path
      *
-     * @param basePath Base path of the URL (e.g {{basePath}})
+     * @param basePath Base path of the URL (e.g {{{basePath}}}
      * @return An instance of OkHttpClient
      */
     public ApiClient setBasePath(String basePath) {

modules/swagger-codegen/src/main/resources/Java/libraries/retrofit/ApiClient.mustache

@@ -123,7 +123,7 @@ public class ApiClient {
 
         adapterBuilder = new RestAdapter
                 .Builder()
-                .setEndpoint("{{basePath}}")
+                .setEndpoint("{{{basePath}}}")
                 .setClient(new OkClient(okClient))
                 .setConverter(new GsonConverterWrapper(gson));
     }
@@ -405,4 +405,4 @@ class LocalDateTypeAdapter extends TypeAdapter<LocalDate> {
                 return formatter.parseLocalDate(date);
         }
     }
-}
+}

modules/swagger-codegen/src/main/resources/Java/libraries/retrofit2/ApiClient.mustache

@@ -132,7 +132,7 @@ public class ApiClient {
 
         okClient = new OkHttpClient();
 
-        String baseUrl = "{{basePath}}";
+        String baseUrl = "{{{basePath}}}";
         if(!baseUrl.endsWith("/"))
         	baseUrl = baseUrl + "/";
 
@@ -487,4 +487,4 @@ class LocalDateTypeAdapter extends TypeAdapter<LocalDate> {
         }
     }
 }
-{{/java8}}
+{{/java8}}

modules/swagger-codegen/src/main/resources/Java/modelEnum.mustache

@@ -1,7 +1,7 @@
 /**
  * {{^description}}Gets or Sets {{{name}}}{{/description}}{{#description}}{{{description}}}{{/description}}
  */
-public enum {{#datatypeWithEnum}}{{.}}{{/datatypeWithEnum}}{{^datatypeWithEnum}}{{classname}}{{/datatypeWithEnum}} {
+public enum {{#datatypeWithEnum}}{{{.}}}{{/datatypeWithEnum}}{{^datatypeWithEnum}}{{{classname}}}{{/datatypeWithEnum}} {
   {{#gson}}
   {{#allowableValues}}{{#enumVars}}
   @SerializedName({{#isInteger}}"{{/isInteger}}{{#isDouble}}"{{/isDouble}}{{#isLong}}"{{/isLong}}{{#isFloat}}"{{/isFloat}}{{{value}}}{{#isInteger}}"{{/isInteger}}{{#isDouble}}"{{/isDouble}}{{#isLong}}"{{/isLong}}{{#isFloat}}"{{/isFloat}})
@@ -14,9 +14,9 @@ public enum {{#datatypeWithEnum}}{{.}}{{/datatypeWithEnum}}{{^datatypeWithEnum}}
   {{/-last}}{{#-last}};{{/-last}}{{/enumVars}}{{/allowableValues}}
   {{/gson}}
 
-  private {{dataType}} value;
+  private {{{dataType}}} value;
 
-  {{#datatypeWithEnum}}{{.}}{{/datatypeWithEnum}}{{^datatypeWithEnum}}{{classname}}{{/datatypeWithEnum}}({{dataType}} value) {
+  {{#datatypeWithEnum}}{{{.}}}{{/datatypeWithEnum}}{{^datatypeWithEnum}}{{{classname}}}{{/datatypeWithEnum}}({{{dataType}}} value) {
     this.value = value;
   }