From b95e38f8e7a1126a35cc27c59d8f21bd0d94d8d2 Mon Sep 17 00:00:00 2001 From: Peter Wessels Date: Wed, 7 Aug 2019 11:27:52 +0200 Subject: [PATCH] fix: use url template dependency Use a different url template dependency that does not have the XSS vulnerability as stated in https://github.com/Redocly/redoc/issues/1007. Also corrected a test that was not conform the spec. --- package.json | 2 +- src/utils/__tests__/openapi.test.ts | 6 ++---- src/utils/openapi.ts | 8 ++++---- 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/package.json b/package.json index f435bfed4d..1d0c45032d 100644 --- a/package.json +++ b/package.json @@ -156,7 +156,7 @@ "stickyfill": "^1.1.1", "swagger2openapi": "^5.3.1", "tslib": "^1.10.0", - "uri-template-lite": "^19.4.0" + "url-template": "^2.0.8" }, "bundlesize": [ { diff --git a/src/utils/__tests__/openapi.test.ts b/src/utils/__tests__/openapi.test.ts index 5d2d91dde8..37d5680c79 100644 --- a/src/utils/__tests__/openapi.test.ts +++ b/src/utils/__tests__/openapi.test.ts @@ -404,7 +404,7 @@ describe('Utils', () => { { style: 'simple', explode: false, expected: 'role,admin,firstName,Alex' }, { style: 'simple', explode: true, expected: 'role=admin,firstName=Alex' }, { style: 'label', explode: false, expected: '.role,admin,firstName,Alex' }, - { style: 'label', explode: true, expected: '.role=admin,firstName=Alex' }, + { style: 'label', explode: true, expected: '.role=admin.firstName=Alex' }, { style: 'matrix', explode: false, expected: ';id=role,admin,firstName,Alex' }, { style: 'matrix', explode: true, expected: ';role=admin;firstName=Alex' }, ], @@ -516,9 +516,7 @@ describe('Utils', () => { locationTestGroup.cases.forEach(valueTypeTestGroup => { describe(valueTypeTestGroup.description, () => { valueTypeTestGroup.cases.forEach(testCase => { - it(`should serialize correctly when style is ${testCase.style} and explode is ${ - testCase.explode - }`, () => { + it(`should serialize correctly when style is ${testCase.style} and explode is ${testCase.explode}`, () => { const parameter: OpenAPIParameter = { name: locationTestGroup.name, in: locationTestGroup.location, diff --git a/src/utils/openapi.ts b/src/utils/openapi.ts index 04a16b6b45..7324ff69b8 100644 --- a/src/utils/openapi.ts +++ b/src/utils/openapi.ts @@ -1,5 +1,5 @@ import { dirname } from 'path'; -import { URI } from 'uri-template-lite'; +const URLtemplate = require('url-template'); import { OpenAPIParser } from '../services/OpenAPIParser'; import { @@ -168,7 +168,7 @@ function serializeFormValue(name: string, explode: boolean, value: any) { // e.g. URI.template doesn't parse names with hypen (-) which are valid query param names const safeName = '__redoc_param_name__'; const suffix = explode ? '*' : ''; - const template = new URI.Template(`{?${safeName}${suffix}}`); + const template = URLtemplate.parse(`{?${safeName}${suffix}}`); return template .expand({ [safeName]: value }) .substring(1) @@ -227,7 +227,7 @@ function serializePathParameter( // Use RFC6570 safe name ([a-zA-Z0-9_]) and replace with our name later // e.g. URI.template doesn't parse names with hypen (-) which are valid query param names const safeName = '__redoc_param_name__'; - const template = new URI.Template(`{${prefix}${safeName}${suffix}}`); + const template = URLtemplate.parse(`{${prefix}${safeName}${suffix}}`); return template.expand({ [safeName]: value }).replace(/__redoc_param_name__/g, name); } @@ -285,7 +285,7 @@ function serializeHeaderParameter( // name is not important here, so use RFC6570 safe name ([a-zA-Z0-9_]) const name = '__redoc_param_name__'; - const template = new URI.Template(`{${name}${suffix}}`); + const template = URLtemplate.parse(`{${name}${suffix}}`); return decodeURIComponent(template.expand({ [name]: value })); default: console.warn('Unexpected style for header: ' + style);