From e423fad030400d8f02fc4ca9da0f16d705a62b23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stef=20Ch=C3=A4ser?= Date: Fri, 15 Nov 2024 08:56:22 +0100 Subject: [PATCH] chore: fix url check allow also other urls like: ../complete-api.yaml --- src/deps/helper.js | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/src/deps/helper.js b/src/deps/helper.js index 8faa1ce..0fb3a23 100644 --- a/src/deps/helper.js +++ b/src/deps/helper.js @@ -29,14 +29,18 @@ $ = function (f) { Handlebars.templates.signature = Handlebars.compile('{{sanitize signature}}'); - var url = "../model/openapi/api.yaml"; - if(window.location.search !="?url="+url) { - window.location.search = "?url="+url; - } + var url = new URL(window.location).searchParams.get('url') + if (!url) { alert('Please specify the API to display using the "url" query parameter.\nE.g. ' + location.origin + location.pathname + '?url=/src/openapi/api.yaml'); return; } + + var fallbackUrl = "../model/openapi/api.yaml"; + if(!isValidUrl(url)) { + window.location.search = "?url="+fallbackUrl; + } + if (!window.fetch) { alert('Please use a Browser.\nIt should at least support "fetch".'); return; @@ -112,6 +116,22 @@ $ = function (f) { ) } + function isValidUrl(referencedUrl){ + // must be relative url + if(!referencedUrl.startsWith('../')){ + return false; + } + // only allow referencing max two parent directories + var matches = referencedUrl.match(/\.\.\//g); + if(matches && matches.length > 2){ + return false; + } + + // additional check + var referencedAbsoluteUrl = getAbsoluteUrl(referencedUrl) + return new URL(referencedAbsoluteUrl).origin == new URL(location.href).origin + } + function isLocalSchema(models, schema) { return _.any(models, function (m) { return normalize(schema.extra.filename) === normalize(m);