Skip to content

Commit

Permalink
Validate the api key 'in' attribute is cookie header or query.
Browse files Browse the repository at this point in the history
  • Loading branch information
@stefan521 @frantuma
stefan521 authored and frantuma committed Apr 3, 2024
1 parent e3746af commit 056774f
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 0 deletions.
4 changes: 4 additions & 0 deletions modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/util/OpenAPIDeserializer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2426,6 +2426,10 @@ public SecurityScheme getSecurityScheme(ObjectNode node, String location, ParseR
.filter(in -> in.toString().equals(securitySchemeIn))
.findFirst();

if (inRequired && securitySchemeIn != null && !matchingIn.isPresent()) {
result.invalidType(location, "in", "cookie|header|query", node);
}

securityScheme.setIn(matchingIn.orElse(null));

value = getString("scheme", node, schemeRequired, location, result);
Expand Down
53 changes: 53 additions & 0 deletions ...es/swagger-parser-v3/src/test/java/io/swagger/v3/parser/util/OpenAPIDeserializerTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -491,6 +491,59 @@ public void testSecurityDefinitionWithMissingAttribute() {
assertTrue(messages.contains("attribute components.securitySchemes.api_key.type is missing"));
}

@Test
public void testSecurityDefinitionApiKeyWithMissingAttributeIn() {
String yaml = "openapi: 3.0.0\n" +
"components:\n" +
" securitySchemes:\n" +
" api_key:\n" +
" type: apiKey\n" +
" name: X-API-KEY";

OpenAPIV3Parser parser = new OpenAPIV3Parser();
SwaggerParseResult result = parser.readContents(yaml, null, null);
List<String> messageList = result.getMessages();
Set<String> messages = new HashSet<>(messageList);

assertTrue(messages.contains("attribute components.securitySchemes.api_key.in is missing"));
}

@Test
public void testSecurityDefinitionApiKeyWithInvalidAttributeIn() {
String yaml = "openapi: 3.0.0\n" +
"components:\n" +
" securitySchemes:\n" +
" api_key:\n" +
" type: apiKey\n" +
" name: X-API-KEY\n" +
" in: cukie";

OpenAPIV3Parser parser = new OpenAPIV3Parser();
SwaggerParseResult result = parser.readContents(yaml, null, null);
List<String> messageList = result.getMessages();
Set<String> messages = new HashSet<>(messageList);

assertTrue(messages.contains("attribute components.securitySchemes.api_key.in is not of type `cookie|header|query`"));
}

@Test
public void testSecurityDefinitionApiKeyValid() {
String yaml = "openapi: 3.0.0\n" +
"components:\n" +
" securitySchemes:\n" +
" api_key:\n" +
" type: apiKey\n" +
" name: X-API-KEY\n" +
" in: cookie";

OpenAPIV3Parser parser = new OpenAPIV3Parser();
SwaggerParseResult result = parser.readContents(yaml, null, null);
List<String> messageList = result.getMessages();
Set<String> messages = new HashSet<>(messageList);

assertFalse(messages.contains("attribute components.securitySchemes.api_key.in is not of type `cookie|header|query`"));
}

@Test
public void testRootInfo() {
String json = "{\n" +
Expand Down

0 comments on commit 056774f

Please sign in to comment.