@mintlify/common 1.0.659 → 1.0.660
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
export declare class ExternalRefError extends Error {
|
|
2
|
+
readonly refs: Array<{
|
|
3
|
+
path: string;
|
|
4
|
+
value: string;
|
|
5
|
+
}>;
|
|
6
|
+
constructor(message: string, refs: Array<{
|
|
7
|
+
path: string;
|
|
8
|
+
value: string;
|
|
9
|
+
}>);
|
|
10
|
+
}
|
|
11
|
+
export declare function checkForExternalRefs(input: unknown): void;
|
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
import yaml from 'js-yaml';
|
|
2
|
+
export class ExternalRefError extends Error {
|
|
3
|
+
constructor(message, refs) {
|
|
4
|
+
super(message);
|
|
5
|
+
this.refs = refs;
|
|
6
|
+
this.name = 'ExternalRefError';
|
|
7
|
+
}
|
|
8
|
+
}
|
|
9
|
+
function tryParse(value) {
|
|
10
|
+
try {
|
|
11
|
+
return JSON.parse(value);
|
|
12
|
+
}
|
|
13
|
+
catch (_a) {
|
|
14
|
+
try {
|
|
15
|
+
const result = yaml.load(value);
|
|
16
|
+
return typeof result === 'object' ? result : null;
|
|
17
|
+
}
|
|
18
|
+
catch (_b) {
|
|
19
|
+
return null;
|
|
20
|
+
}
|
|
21
|
+
}
|
|
22
|
+
}
|
|
23
|
+
function validateParseable(input) {
|
|
24
|
+
try {
|
|
25
|
+
JSON.parse(input);
|
|
26
|
+
}
|
|
27
|
+
catch (_a) {
|
|
28
|
+
yaml.load(input);
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
function findExternalRefs(input, path = '', refs = [], visited = new WeakSet()) {
|
|
32
|
+
if (typeof input === 'string') {
|
|
33
|
+
const parsed = tryParse(input);
|
|
34
|
+
if (parsed)
|
|
35
|
+
findExternalRefs(parsed, path, refs, visited);
|
|
36
|
+
return refs;
|
|
37
|
+
}
|
|
38
|
+
if (!input || typeof input !== 'object' || visited.has(input))
|
|
39
|
+
return refs;
|
|
40
|
+
visited.add(input);
|
|
41
|
+
if (Array.isArray(input)) {
|
|
42
|
+
input.forEach((item, i) => findExternalRefs(item, `${path}[${i}]`, refs, visited));
|
|
43
|
+
}
|
|
44
|
+
else {
|
|
45
|
+
for (const [key, value] of Object.entries(input)) {
|
|
46
|
+
const newPath = path ? `${path}.${key}` : key;
|
|
47
|
+
if (key === '$ref' && typeof value === 'string' && !value.startsWith('#')) {
|
|
48
|
+
refs.push({ path: newPath, value });
|
|
49
|
+
}
|
|
50
|
+
else {
|
|
51
|
+
findExternalRefs(value, newPath, refs, visited);
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
}
|
|
55
|
+
return refs;
|
|
56
|
+
}
|
|
57
|
+
export function checkForExternalRefs(input) {
|
|
58
|
+
if (input == null || (typeof input !== 'string' && typeof input !== 'object'))
|
|
59
|
+
return;
|
|
60
|
+
if (typeof input === 'string')
|
|
61
|
+
validateParseable(input);
|
|
62
|
+
const refs = findExternalRefs(input);
|
|
63
|
+
if (refs.length > 0) {
|
|
64
|
+
const details = refs.map((r) => ` - ${r.path}: ${r.value}`).join('\n');
|
|
65
|
+
throw new ExternalRefError(`External $ref references are not allowed. Found ${refs.length} external reference(s):\n${details}`, refs);
|
|
66
|
+
}
|
|
67
|
+
}
|
|
@@ -8,9 +8,12 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
8
8
|
});
|
|
9
9
|
};
|
|
10
10
|
import { Parser } from '@asyncapi/parser';
|
|
11
|
+
import { checkForExternalRefs } from './checkForExternalRefs.js';
|
|
11
12
|
export function validateAsyncApi(str) {
|
|
12
13
|
return __awaiter(this, void 0, void 0, function* () {
|
|
13
14
|
try {
|
|
15
|
+
// Throws error if external $ref is found
|
|
16
|
+
checkForExternalRefs(str);
|
|
14
17
|
const parser = new Parser();
|
|
15
18
|
const { document, diagnostics } = yield parser.parse(str);
|
|
16
19
|
if (diagnostics.length > 0) {
|
package/dist/openapi/validate.js
CHANGED
|
@@ -8,6 +8,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
8
8
|
});
|
|
9
9
|
};
|
|
10
10
|
import { validate as scalarValidate } from '@mintlify/openapi-parser';
|
|
11
|
+
import { checkForExternalRefs } from '../asyncapi/checkForExternalRefs.js';
|
|
11
12
|
export const validate = (document) => __awaiter(void 0, void 0, void 0, function* () {
|
|
12
13
|
const result = yield safeValidate(document);
|
|
13
14
|
if ('errorMessage' in result) {
|
|
@@ -16,6 +17,14 @@ export const validate = (document) => __awaiter(void 0, void 0, void 0, function
|
|
|
16
17
|
return result;
|
|
17
18
|
});
|
|
18
19
|
export const safeValidate = (document) => __awaiter(void 0, void 0, void 0, function* () {
|
|
20
|
+
// Check for external $ref references before parsing to prevent SSRF
|
|
21
|
+
try {
|
|
22
|
+
checkForExternalRefs(document);
|
|
23
|
+
}
|
|
24
|
+
catch (error) {
|
|
25
|
+
const errorMessage = error instanceof Error ? error.message : String(error);
|
|
26
|
+
return { errors: [{ message: errorMessage }], valid: false, errorMessage };
|
|
27
|
+
}
|
|
19
28
|
const result = yield scalarValidate(document);
|
|
20
29
|
const { errors, schema, valid, version } = result;
|
|
21
30
|
if (version === '2.0')
|