From d5def75ffa890ca45e8d28a826cfce94a7e33c40 Mon Sep 17 00:00:00 2001 From: grzegorz-moto <60603738+grzegorz-moto@users.noreply.github.com> Date: Fri, 5 Jun 2020 12:15:07 +0200 Subject: [PATCH 1/3] remove the dead code Remove the dead code from ApiClient The code is not used and it contains vulnerability of Log Forgery when it writes unvalidated http header to the log. An attacker could take advantage of this behaviour to forge log entries or inject malicious content into the log. --- .../libraries/webclient/ApiClient.mustache | 52 ------------------- 1 file changed, 52 deletions(-) diff --git a/modules/openapi-generator/src/main/resources/Java/libraries/webclient/ApiClient.mustache b/modules/openapi-generator/src/main/resources/Java/libraries/webclient/ApiClient.mustache index 72b80bac81a8..f38a9b8c4501 100644 --- a/modules/openapi-generator/src/main/resources/Java/libraries/webclient/ApiClient.mustache +++ b/modules/openapi-generator/src/main/resources/Java/libraries/webclient/ApiClient.mustache @@ -647,56 +647,4 @@ public class ApiClient { return collectionFormat.collectionToString(values); } - - private class ApiClientHttpRequestInterceptor implements ClientHttpRequestInterceptor { - private final Log log = LogFactory.getLog(ApiClientHttpRequestInterceptor.class); - - @Override - public ClientHttpResponse intercept(HttpRequest request, byte[] body, ClientHttpRequestExecution execution) throws IOException { - logRequest(request, body); - ClientHttpResponse response = execution.execute(request, body); - logResponse(response); - return response; - } - - private void logRequest(HttpRequest request, byte[] body) throws UnsupportedEncodingException { - log.info("URI: " + request.getURI()); - log.info("HTTP Method: " + request.getMethod()); - log.info("HTTP Headers: " + headersToString(request.getHeaders())); - log.info("Request Body: " + new String(body, StandardCharsets.UTF_8)); - } - - private void logResponse(ClientHttpResponse response) throws IOException { - log.info("HTTP Status Code: " + response.getRawStatusCode()); - log.info("Status Text: " + response.getStatusText()); - log.info("HTTP Headers: " + headersToString(response.getHeaders())); - log.info("Response Body: " + bodyToString(response.getBody())); - } - - private String headersToString(HttpHeaders headers) { - StringBuilder builder = new StringBuilder(); - for(Entry> entry : headers.entrySet()) { - builder.append(entry.getKey()).append("=["); - for(String value : entry.getValue()) { - builder.append(value).append(","); - } - builder.setLength(builder.length() - 1); // Get rid of trailing comma - builder.append("],"); - } - builder.setLength(builder.length() - 1); // Get rid of trailing comma - return builder.toString(); - } - - private String bodyToString(InputStream body) throws IOException { - StringBuilder builder = new StringBuilder(); - BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(body, StandardCharsets.UTF_8)); - String line = bufferedReader.readLine(); - while (line != null) { - builder.append(line).append(System.lineSeparator()); - line = bufferedReader.readLine(); - } - bufferedReader.close(); - return builder.toString(); - } - } } From c703ed5b515f24d08203acae6038090fe6dff25e Mon Sep 17 00:00:00 2001 From: Grzegorz Szyszka Date: Fri, 5 Jun 2020 14:58:27 +0200 Subject: [PATCH 2/3] update Petstore samples --- .../org/openapitools/client/ApiClient.java | 52 ------------------- .../java/jersey2-java8/docs/FakeApi.md | 2 +- .../org/openapitools/client/api/FakeApi.java | 4 +- .../openapitools/client/model/FormatTest.java | 2 +- .../client/model/InlineObject3.java | 2 +- 5 files changed, 5 insertions(+), 57 deletions(-) diff --git a/samples/client/petstore/java/webclient/src/main/java/org/openapitools/client/ApiClient.java b/samples/client/petstore/java/webclient/src/main/java/org/openapitools/client/ApiClient.java index 72af8b68035d..a2e1d8abab2b 100644 --- a/samples/client/petstore/java/webclient/src/main/java/org/openapitools/client/ApiClient.java +++ b/samples/client/petstore/java/webclient/src/main/java/org/openapitools/client/ApiClient.java @@ -643,56 +643,4 @@ public String collectionPathParameterToString(CollectionFormat collectionFormat, return collectionFormat.collectionToString(values); } - - private class ApiClientHttpRequestInterceptor implements ClientHttpRequestInterceptor { - private final Log log = LogFactory.getLog(ApiClientHttpRequestInterceptor.class); - - @Override - public ClientHttpResponse intercept(HttpRequest request, byte[] body, ClientHttpRequestExecution execution) throws IOException { - logRequest(request, body); - ClientHttpResponse response = execution.execute(request, body); - logResponse(response); - return response; - } - - private void logRequest(HttpRequest request, byte[] body) throws UnsupportedEncodingException { - log.info("URI: " + request.getURI()); - log.info("HTTP Method: " + request.getMethod()); - log.info("HTTP Headers: " + headersToString(request.getHeaders())); - log.info("Request Body: " + new String(body, StandardCharsets.UTF_8)); - } - - private void logResponse(ClientHttpResponse response) throws IOException { - log.info("HTTP Status Code: " + response.getRawStatusCode()); - log.info("Status Text: " + response.getStatusText()); - log.info("HTTP Headers: " + headersToString(response.getHeaders())); - log.info("Response Body: " + bodyToString(response.getBody())); - } - - private String headersToString(HttpHeaders headers) { - StringBuilder builder = new StringBuilder(); - for(Entry> entry : headers.entrySet()) { - builder.append(entry.getKey()).append("=["); - for(String value : entry.getValue()) { - builder.append(value).append(","); - } - builder.setLength(builder.length() - 1); // Get rid of trailing comma - builder.append("],"); - } - builder.setLength(builder.length() - 1); // Get rid of trailing comma - return builder.toString(); - } - - private String bodyToString(InputStream body) throws IOException { - StringBuilder builder = new StringBuilder(); - BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(body, StandardCharsets.UTF_8)); - String line = bufferedReader.readLine(); - while (line != null) { - builder.append(line).append(System.lineSeparator()); - line = bufferedReader.readLine(); - } - bufferedReader.close(); - return builder.toString(); - } - } } diff --git a/samples/openapi3/client/petstore/java/jersey2-java8/docs/FakeApi.md b/samples/openapi3/client/petstore/java/jersey2-java8/docs/FakeApi.md index 9c912ded09eb..402d6f6bc786 100644 --- a/samples/openapi3/client/petstore/java/jersey2-java8/docs/FakeApi.md +++ b/samples/openapi3/client/petstore/java/jersey2-java8/docs/FakeApi.md @@ -670,7 +670,7 @@ Name | Type | Description | Notes **string** | **String**| None | [optional] **binary** | **File**| None | [optional] **date** | **LocalDate**| None | [optional] - **dateTime** | **OffsetDateTime**| None | [optional] [default to OffsetDateTime.parse("2010-02-01T17:20:10.111110+08:00[Asia/Hong_Kong]", java.time.format.DateTimeFormatter.ISO_ZONED_DATE_TIME.withZone(java.time.ZoneId.systemDefault()))] + **dateTime** | **OffsetDateTime**| None | [optional] [default to OffsetDateTime.parse("2010-02-01T10:20:10.111110+01:00[Europe/Warsaw]", java.time.format.DateTimeFormatter.ISO_ZONED_DATE_TIME.withZone(java.time.ZoneId.systemDefault()))] **password** | **String**| None | [optional] **paramCallback** | **String**| None | [optional] diff --git a/samples/openapi3/client/petstore/java/jersey2-java8/src/main/java/org/openapitools/client/api/FakeApi.java b/samples/openapi3/client/petstore/java/jersey2-java8/src/main/java/org/openapitools/client/api/FakeApi.java index eed4c3185988..6debfbb6845f 100644 --- a/samples/openapi3/client/petstore/java/jersey2-java8/src/main/java/org/openapitools/client/api/FakeApi.java +++ b/samples/openapi3/client/petstore/java/jersey2-java8/src/main/java/org/openapitools/client/api/FakeApi.java @@ -639,7 +639,7 @@ public ApiResponse testClientModelWithHttpInfo(Client client) throws Api * @param string None (optional) * @param binary None (optional) * @param date None (optional) - * @param dateTime None (optional, default to OffsetDateTime.parse("2010-02-01T17:20:10.111110+08:00[Asia/Hong_Kong]", java.time.format.DateTimeFormatter.ISO_ZONED_DATE_TIME.withZone(java.time.ZoneId.systemDefault()))) + * @param dateTime None (optional, default to OffsetDateTime.parse("2010-02-01T10:20:10.111110+01:00[Europe/Warsaw]", java.time.format.DateTimeFormatter.ISO_ZONED_DATE_TIME.withZone(java.time.ZoneId.systemDefault()))) * @param password None (optional) * @param paramCallback None (optional) * @throws ApiException if fails to make API call @@ -668,7 +668,7 @@ public void testEndpointParameters(BigDecimal number, Double _double, String pat * @param string None (optional) * @param binary None (optional) * @param date None (optional) - * @param dateTime None (optional, default to OffsetDateTime.parse("2010-02-01T17:20:10.111110+08:00[Asia/Hong_Kong]", java.time.format.DateTimeFormatter.ISO_ZONED_DATE_TIME.withZone(java.time.ZoneId.systemDefault()))) + * @param dateTime None (optional, default to OffsetDateTime.parse("2010-02-01T10:20:10.111110+01:00[Europe/Warsaw]", java.time.format.DateTimeFormatter.ISO_ZONED_DATE_TIME.withZone(java.time.ZoneId.systemDefault()))) * @param password None (optional) * @param paramCallback None (optional) * @return ApiResponse<Void> diff --git a/samples/openapi3/client/petstore/java/jersey2-java8/src/main/java/org/openapitools/client/model/FormatTest.java b/samples/openapi3/client/petstore/java/jersey2-java8/src/main/java/org/openapitools/client/model/FormatTest.java index f66ee0018894..94c8bf329f40 100644 --- a/samples/openapi3/client/petstore/java/jersey2-java8/src/main/java/org/openapitools/client/model/FormatTest.java +++ b/samples/openapi3/client/petstore/java/jersey2-java8/src/main/java/org/openapitools/client/model/FormatTest.java @@ -339,7 +339,7 @@ public FormatTest date(LocalDate date) { * Get date * @return date **/ - @ApiModelProperty(example = "Sun Feb 02 08:00:00 HKT 2020", required = true, value = "") + @ApiModelProperty(example = "Sun Feb 02 01:00:00 CET 2020", required = true, value = "") @JsonProperty(JSON_PROPERTY_DATE) @JsonInclude(value = JsonInclude.Include.ALWAYS) diff --git a/samples/openapi3/client/petstore/java/jersey2-java8/src/main/java/org/openapitools/client/model/InlineObject3.java b/samples/openapi3/client/petstore/java/jersey2-java8/src/main/java/org/openapitools/client/model/InlineObject3.java index 7cf78a40b3de..fb33973ddda4 100644 --- a/samples/openapi3/client/petstore/java/jersey2-java8/src/main/java/org/openapitools/client/model/InlineObject3.java +++ b/samples/openapi3/client/petstore/java/jersey2-java8/src/main/java/org/openapitools/client/model/InlineObject3.java @@ -82,7 +82,7 @@ public class InlineObject3 { private LocalDate date; public static final String JSON_PROPERTY_DATE_TIME = "dateTime"; - private OffsetDateTime dateTime = OffsetDateTime.parse("2010-02-01T17:20:10.111110+08:00[Asia/Hong_Kong]", java.time.format.DateTimeFormatter.ISO_ZONED_DATE_TIME.withZone(java.time.ZoneId.systemDefault())); + private OffsetDateTime dateTime = OffsetDateTime.parse("2010-02-01T10:20:10.111110+01:00[Europe/Warsaw]", java.time.format.DateTimeFormatter.ISO_ZONED_DATE_TIME.withZone(java.time.ZoneId.systemDefault())); public static final String JSON_PROPERTY_PASSWORD = "password"; private String password; From 6792259b4ff786e7977ca020bc0245991b13ab94 Mon Sep 17 00:00:00 2001 From: grzegorz-moto <60603738+grzegorz-moto@users.noreply.github.com> Date: Tue, 16 Jun 2020 10:44:33 +0200 Subject: [PATCH 3/3] whitespace --- .../main/java/org/openapitools/client/model/InlineObject3.java | 1 - 1 file changed, 1 deletion(-) diff --git a/samples/openapi3/client/petstore/java/jersey2-java8/src/main/java/org/openapitools/client/model/InlineObject3.java b/samples/openapi3/client/petstore/java/jersey2-java8/src/main/java/org/openapitools/client/model/InlineObject3.java index 3006b2736b9e..6270a48fdf87 100644 --- a/samples/openapi3/client/petstore/java/jersey2-java8/src/main/java/org/openapitools/client/model/InlineObject3.java +++ b/samples/openapi3/client/petstore/java/jersey2-java8/src/main/java/org/openapitools/client/model/InlineObject3.java @@ -86,7 +86,6 @@ public class InlineObject3 { private LocalDate date; public static final String JSON_PROPERTY_DATE_TIME = "dateTime"; - private OffsetDateTime dateTime = OffsetDateTime.parse("2010-02-01T09:20:10.111110Z[UTC]", java.time.format.DateTimeFormatter.ISO_ZONED_DATE_TIME.withZone(java.time.ZoneId.systemDefault())); public static final String JSON_PROPERTY_PASSWORD = "password";