Skip to content

Security/fixing vulnerabilities#1779

Merged
js2me merged 9 commits into
mainfrom
security/fixing-vulnerabilities
Jun 8, 2026
Merged

Security/fixing vulnerabilities#1779
js2me merged 9 commits into
mainfrom
security/fixing-vulnerabilities

Conversation

@js2me

@js2me js2me commented Jun 7, 2026
edited by cubic-dev-ai Bot
Loading

Copy link
Copy Markdown
Member

Summary by cubic

Hardens swagger-typescript-api against code injection and SSRF by escaping untrusted OpenAPI inputs and enforcing safe remote $ref fetching. Covers IPv6 and placeholder-collision edge cases.

  • Bug Fixes

    • Escape enum string values in generated TypeScript to prevent execution on import.
    • Escape servers[0].url before rendering to stop baseUrl injection in axios/fetch clients.
    • Sanitize OpenAPI path strings for template literals while preserving ${param} placeholders; use a single-pass algorithm to avoid placeholder collisions.
    • Remote $ref hardening: block private/loopback/link-local addresses and localhost for cross-origin fetches; handle IPv6 literals and IPv4-mapped IPv6 correctly (strip brackets, detect hex-hextet forms); allow same-origin and the explicit spec --url; manually follow up to 5 redirects with re-validation; forward authorizationToken only to same-origin URLs.

  • Migration

    • Restored sta CLI alias for swagger-typescript-api; no action needed.

Written for commit 7f77496. Summary will update on new commits.

Review in cubic

js2me and others added 4 commits June 8, 2026 00:01
@js2me
fix: CVE (GHSA-h754-fxp7-88wx)
88e211e
@js2me @cursoragent
Block SSRF via spec $ref during remote schema resolution
8fdcf7f 
Reject cross-origin fetches to private and loopback addresses, validate
redirect targets manually, and extend the changeset to cover both advisories.

Co-authored-by: Cursor <cursoragent@cursor.com>
@js2me @cursoragent
Escape servers[0].url in generated HTTP client baseUrl
fd04f86 
Malicious OpenAPI specs could break out of string literals in axios
and fetch client constructors via unescaped servers[0].url, leading
to arbitrary code execution when consumers instantiate HttpClient.

Co-authored-by: Cursor <cursoragent@cursor.com>
@js2me @cursoragent
Escape untrusted enum values and route paths in generated output
3240c38 
Malicious OpenAPI specs could inject executable JavaScript via enum string
values (module-load RCE on import) and path keys (${…} in template literals
on every method call). Ts.StringValue now escapes string literals; route paths
are sanitized before deliberate path-param interpolations are inserted.

Co-authored-by: Cursor <cursoragent@cursor.com>
@changeset-bot

changeset-bot Bot commented Jun 7, 2026
edited
Loading

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 7f77496

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
swagger-typescript-api Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@js2me @cursoragent
Restore sta bin alias for CLI entry point
1a3d208 
Co-authored-by: Cursor <cursoragent@cursor.com>
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Jun 7, 2026
View reviewed changes

@cubic-dev-ai cubic-dev-ai Bot left a comment
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

4 issues found across 19 files

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread src/util/escape-js-template-literal-with-path-params.ts Outdated
Comment thread tests/http-client-base-url-injection.test.ts Outdated
Comment thread src/util/remote-schema-fetch.ts
Comment thread src/util/remote-schema-fetch.ts Outdated
js2me and others added 2 commits June 8, 2026 00:47
@js2me
chore: update changeset
72d4b26
@js2me @claude
Fix SSRF bypasses for IPv6 literals and placeholder collisions
495f2cd 
Strip brackets from URL.hostname for IPv6 literals so net.isIP() and
dns.lookup() work correctly. Handle hex-hextet normalized IPv4-mapped
IPv6 addresses in isPrivateIpv6. Replace placeholder-based roundtrip
in escapeJsTemplateLiteralWithPathParams with a collision-free
single-pass algorithm. Make baseUrl injection test assertion
quote-style-agnostic.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 8, 2026
View reviewed changes
Comment thread tests/http-client-base-url-injection.test.ts Fixed
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 8, 2026
View reviewed changes
Comment thread tests/http-client-base-url-injection.test.ts Fixed
@js2me @claude
Fix incomplete string escaping in base URL injection test
7f77496 
Replace ad-hoc replace(/"/g, '\\"') with JSON.stringify().slice(1, -1)
which correctly handles backslashes and control characters too.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@js2me js2me merged commit 306d59a into main Jun 8, 2026
13 checks passed
@js2me js2me deleted the security/fixing-vulnerabilities branch June 8, 2026 12:45
@github-actions github-actions Bot mentioned this pull request Jun 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@js2me @github-advanced-security