fix(security): replace regular expressions in path builders (#3504)

glowcloud · char0n · web-flow · commit 642a87c0a3f6 · 2024-05-08T15:25:44.000+02:00
Refs #3503 --------- Co-authored-by: Vladimir Gorej <vladimir.gorej@gmail.com>
diff --git a/config/webpack/browser.config.babel.js b/config/webpack/browser.config.babel.js
@@ -63,7 +63,7 @@ const browserMin = {
   devtool: 'source-map',
   performance: {
     hints: 'error',
-    maxEntrypointSize: 440000,
+    maxEntrypointSize: 460000,
     maxAssetSize: 50000000,
   },
   output: {
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -122,6 +122,7 @@
     "js-yaml": "^4.1.0",
     "node-abort-controller": "^3.1.1",
     "node-fetch-commonjs": "^3.3.2",
+    "openapi-path-templating": "^1.5.1",
     "qs": "^6.10.2",
     "traverse": "=0.6.8"
   },
diff --git a/src/execute/index.js b/src/execute/index.js
@@ -265,6 +265,7 @@ export function buildRequest(options) {
         value,
         operation,
         spec,
+        pathName,
       });
     }
   });
diff --git a/src/execute/oas3/parameter-builders.js b/src/execute/oas3/parameter-builders.js
@@ -1,28 +1,41 @@
+import { resolve as resolvePathTemplate } from 'openapi-path-templating';
+
 import stylize, { encodeCharacters } from './style-serializer.js';
 import serialize from './content-serializer.js';
 
-export function path({ req, value, parameter }) {
+export function path({ req, value, parameter, pathName }) {
   const { name, style, explode, content } = parameter;
 
   if (value === undefined) return;
 
+  let resolvedPathname;
+
   if (content) {
     const effectiveMediaType = Object.keys(content)[0];
 
-    req.url = req.url
-      .split(`{${name}}`)
-      .join(encodeCharacters(serialize(value, effectiveMediaType)));
+    resolvedPathname = resolvePathTemplate(
+      pathName,
+      { [name]: value },
+      { encoder: (val) => encodeCharacters(serialize(val, effectiveMediaType)) }
+    );
   } else {
-    const styledValue = stylize({
-      key: parameter.name,
-      value,
-      style: style || 'simple',
-      explode: explode || false,
-      escape: 'reserved',
-    });
-
-    req.url = req.url.replace(new RegExp(`{${name}}`, 'g'), styledValue);
+    resolvedPathname = resolvePathTemplate(
+      pathName,
+      { [name]: value },
+      {
+        encoder: (val) =>
+          stylize({
+            key: parameter.name,
+            value: val,
+            style: style || 'simple',
+            explode: explode || false,
+            escape: 'reserved',
+          }),
+      }
+    );
   }
+
+  req.url = req.url.replace(pathName, resolvedPathname);
 }
 
 export function query({ req, value, parameter }) {
diff --git a/src/execute/swagger2/parameter-builders.js b/src/execute/swagger2/parameter-builders.js
@@ -1,3 +1,5 @@
+import { resolve as resolvePathTemplate } from 'openapi-path-templating';
+
 // These functions will update the request.
 // They'll be given {req, value, paramter, spec, operation}.
 
@@ -49,9 +51,11 @@ function headerBuilder({ req, parameter, value }) {
 }
 
 // Replace path paramters, with values ( ie: the URL )
-function pathBuilder({ req, value, parameter }) {
+function pathBuilder({ req, value, parameter, pathName }) {
   if (value !== undefined) {
-    req.url = req.url.replace(new RegExp(`{${parameter.name}}`, 'g'), encodeURIComponent(value));
+    const resolvedPathname = resolvePathTemplate(pathName, { [parameter.name]: value });
+
+    req.url = req.url.replace(pathName, resolvedPathname);
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -265,6 +265,7 @@ export function buildRequest(options) {`
`265`	`265`	`value,`
`266`	`266`	`operation,`
`267`	`267`	`spec,`
	`268`	`+ pathName,`
`268`	`269`	`});`
`269`	`270`	`}`
`270`	`271`	`});`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+import { resolve as resolvePathTemplate } from 'openapi-path-templating';`
	`2`	`+`
`1`	`3`	`// These functions will update the request.`
`2`	`4`	`// They'll be given {req, value, paramter, spec, operation}.`
`3`	`5`
`@@ -49,9 +51,11 @@ function headerBuilder({ req, parameter, value }) {`
`49`	`51`	`}`
`50`	`52`
`51`	`53`	`// Replace path paramters, with values ( ie: the URL )`
`52`		`-function pathBuilder({ req, value, parameter }) {`
	`54`	`+function pathBuilder({ req, value, parameter, pathName }) {`
`53`	`55`	`if (value !== undefined) {`
`54`		- req.url = req.url.replace(new RegExp(`{${parameter.name}}`, 'g'), encodeURIComponent(value));
	`56`	`+ const resolvedPathname = resolvePathTemplate(pathName, { [parameter.name]: value });`
	`57`	`+`
	`58`	`+ req.url = req.url.replace(pathName, resolvedPathname);`
`55`	`59`	`}`
`56`	`60`	`}`
`57`	`61`