[BUG][JAVASCRIPT] Possible Code injection in generated javascript SDK client
Created by: ajayd942
Description
People could provide a tampered API spec file and generate an SDK that would execute arbitrary code.
openapi-generator version
5.2.0 Took the latest master and generated artifact using it. Still saw the issue there. Sha - 75fc1383
OpenAPI declaration file content or url
swagger: "2.0"
info:
title: inactivetitle
description: inactivedescription
version: 1.0.0
host: api.inactive.com
basePath: /inactivebasepath/v1
schemes:
- https
paths:
/ioactiveapth','GET',pathParams,queryParams,headerParams,formParams,postBody,authNames,contentTypes,accepts,returnType,null,callback)&&console.log('godmode');returnType=('a:
get:
summary: inactivesummary
description: inactivedescription
produces:
- applciation/json
responses:
200:
description: OKCommand line used for generation
./run-in-docker.sh generate -i ./petstore.yaml -g javascript -o /gen/out/javascript-petstore
Steps to reproduce
- Run the above command to generate a javascript SDK client with the given YAML file(command assumes petstore.yaml )
- Go to - javascript-petstore/src/api/ DefaultApi.js in the generated SDK artifact
- You can see injected code as shown in the screenshot below . (console.log(
godmode);
return this.apiClient.callApi(
'/ioactiveapth','GET',pathParams,queryParams,headerParams,formParams,postBody,authNames,contentTypes,accepts,returnType,null,callback)&&console.log('godmode');returnType=('a', 'GET',
pathParams, queryParams, headerParams, formParams, postBody,
authNames, contentTypes, accepts, returnType, null, callback
);
}Related issues/PRs
No PR created yet
Suggest a fix/enhancement
No suggested fix We need to scan the keys in our spec yaml file for possible injection. The same injection cannot be achieved via values in the YAML file. As the path is a kind of a key, I suspect this is possible