From 056774ff7382d51b7edc702db75e1e04b46d8db4 Mon Sep 17 00:00:00 2001 From: stefan521 Date: Thu, 22 Feb 2024 23:17:19 +0000 Subject: [PATCH] Validate the api key 'in' attribute is cookie header or query. --- .../v3/parser/util/OpenAPIDeserializer.java | 4 ++ .../parser/util/OpenAPIDeserializerTest.java | 53 +++++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/util/OpenAPIDeserializer.java b/modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/util/OpenAPIDeserializer.java index 1b64179f49..bf10fcd792 100644 --- a/modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/util/OpenAPIDeserializer.java +++ b/modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/util/OpenAPIDeserializer.java @@ -2426,6 +2426,10 @@ public SecurityScheme getSecurityScheme(ObjectNode node, String location, ParseR .filter(in -> in.toString().equals(securitySchemeIn)) .findFirst(); + if (inRequired && securitySchemeIn != null && !matchingIn.isPresent()) { + result.invalidType(location, "in", "cookie|header|query", node); + } + securityScheme.setIn(matchingIn.orElse(null)); value = getString("scheme", node, schemeRequired, location, result); diff --git a/modules/swagger-parser-v3/src/test/java/io/swagger/v3/parser/util/OpenAPIDeserializerTest.java b/modules/swagger-parser-v3/src/test/java/io/swagger/v3/parser/util/OpenAPIDeserializerTest.java index 10b7cfd6b5..e14726ebe2 100644 --- a/modules/swagger-parser-v3/src/test/java/io/swagger/v3/parser/util/OpenAPIDeserializerTest.java +++ b/modules/swagger-parser-v3/src/test/java/io/swagger/v3/parser/util/OpenAPIDeserializerTest.java @@ -491,6 +491,59 @@ public void testSecurityDefinitionWithMissingAttribute() { assertTrue(messages.contains("attribute components.securitySchemes.api_key.type is missing")); } + @Test + public void testSecurityDefinitionApiKeyWithMissingAttributeIn() { + String yaml = "openapi: 3.0.0\n" + + "components:\n" + + " securitySchemes:\n" + + " api_key:\n" + + " type: apiKey\n" + + " name: X-API-KEY"; + + OpenAPIV3Parser parser = new OpenAPIV3Parser(); + SwaggerParseResult result = parser.readContents(yaml, null, null); + List messageList = result.getMessages(); + Set messages = new HashSet<>(messageList); + + assertTrue(messages.contains("attribute components.securitySchemes.api_key.in is missing")); + } + + @Test + public void testSecurityDefinitionApiKeyWithInvalidAttributeIn() { + String yaml = "openapi: 3.0.0\n" + + "components:\n" + + " securitySchemes:\n" + + " api_key:\n" + + " type: apiKey\n" + + " name: X-API-KEY\n" + + " in: cukie"; + + OpenAPIV3Parser parser = new OpenAPIV3Parser(); + SwaggerParseResult result = parser.readContents(yaml, null, null); + List messageList = result.getMessages(); + Set messages = new HashSet<>(messageList); + + assertTrue(messages.contains("attribute components.securitySchemes.api_key.in is not of type `cookie|header|query`")); + } + + @Test + public void testSecurityDefinitionApiKeyValid() { + String yaml = "openapi: 3.0.0\n" + + "components:\n" + + " securitySchemes:\n" + + " api_key:\n" + + " type: apiKey\n" + + " name: X-API-KEY\n" + + " in: cookie"; + + OpenAPIV3Parser parser = new OpenAPIV3Parser(); + SwaggerParseResult result = parser.readContents(yaml, null, null); + List messageList = result.getMessages(); + Set messages = new HashSet<>(messageList); + + assertFalse(messages.contains("attribute components.securitySchemes.api_key.in is not of type `cookie|header|query`")); + } + @Test public void testRootInfo() { String json = "{\n" +