Skip to content

[C#] better code injection handling for C# API client#3249

Merged
wing328 merged 2 commits intoswagger-api:masterfrom
wing328:csharp_security_fix
Jun 29, 2016
Merged

[C#] better code injection handling for C# API client#3249
wing328 merged 2 commits intoswagger-api:masterfrom
wing328:csharp_security_fix

Conversation

@wing328
Copy link
Contributor

@wing328 wing328 commented Jun 29, 2016

For #3201

@wing328 wing328 added this to the v2.2.0 milestone Jun 29, 2016
@wing328 wing328 merged commit 9ee10e2 into swagger-api:master Jun 29, 2016
jimschubert
jimschubert reviewed Jul 4, 2016
View reviewed changes
modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/AbstractCSharpCodegen.java
}

@Override
public String escapeQuotationMark(String input) {
Copy link
Contributor

@jimschubert jimschubert Jul 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this function and escapeUnsafeCharacters need to be heavily commented in all language overrides.

Consider 1 or 2 years down the road:

  1. This method is removing quotes, not escaping. Why?
  2. Comment on line 662 could be read as avoiding SQL code injection in generated code. Maybe clarify the comment?
  3. From a usage perspective, it's not clear whether this is single or double quotes.
  4. It's not clear the intended context of this method (Mustache templates vs. in generated code).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Client: C-Sharp Issue: Security

Projects

None yet

Milestone

v2.2.0

Development

Successfully merging this pull request may close these issues.

2 participants

@wing328 @jimschubert