SWG-9288 adding tests

swagger-api · Jan 4, 2024 · 6454140 · 6454140
1 parent 1f0a435
commit 6454140
Show file tree

Hide file tree

Showing 3 changed files with 138 additions and 0 deletions.
diff --git a/modules/swagger-parser/src/test/java/io/swagger/parser/SwaggerParserTest.java b/modules/swagger-parser/src/test/java/io/swagger/parser/SwaggerParserTest.java
@@ -3,6 +3,7 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertThrows;
 import static org.testng.Assert.assertNull;
 import static org.testng.Assert.assertTrue;
 import static org.testng.Assert.fail;
@@ -1790,4 +1791,89 @@ public void testInlineModelResolverByLocation() {
         assertTrue(userAddress.getProperties().containsKey("city"));
         assertTrue(userAddress.getProperties().containsKey("street"));
     }
+
+    @Test(description = "Test safe resolving")
+    public void test20SafeURLResolving() throws IOException {
+        String yaml = new String(Files.readAllBytes(new File("src/test/resources/safelyResolve/oas20SafeUrlResolvingWithPetstore.yaml").toPath()), "UTF-8");
+        JsonNode jsonNodeSwagger = Yaml.mapper().readValue(yaml, JsonNode.class);
+
+        ParseOptions parseOptions = new ParseOptions();
+        parseOptions.setResolve(true);
+        parseOptions.setSafelyResolveURL(true);
+        List<String> allowList = Collections.emptyList();
+        List<String> blockList = Collections.emptyList();
+        parseOptions.setRemoteRefAllowList(allowList);
+        parseOptions.setRemoteRefBlockList(blockList);
+
+        new SwaggerParser().read(jsonNodeSwagger, null, parseOptions);
+    }
+
+    @Test(description = "Test safe resolving with blocked URL")
+    public void test20SafeURLResolvingWithBlockedURL() throws IOException {
+        String yaml = new String(Files.readAllBytes(new File("src/test/resources/safelyResolve/oas20SafeUrlResolvingWithPetstore.yaml").toPath()), "UTF-8");
+        JsonNode jsonNodeSwagger = Yaml.mapper().readValue(yaml, JsonNode.class);
+
+        ParseOptions parseOptions = new ParseOptions();
+        parseOptions.setResolve(true);
+        parseOptions.setSafelyResolveURL(true);
+        List<String> allowList = Collections.emptyList();
+        List<String> blockList = Arrays.asList("petstore3.swagger.io");
+        parseOptions.setRemoteRefAllowList(allowList);
+        parseOptions.setRemoteRefBlockList(blockList);
+
+        assertThrows(RuntimeException.class, () -> {
+            new SwaggerParser().read(jsonNodeSwagger, null, parseOptions);
+        });
+    }
+
+    @Test(description = "Test safe resolving with turned off safelyResolveURL option")
+    public void test20SafeURLResolvingWithTurnedOffSafeResolving() throws IOException {
+        String yaml = new String(Files.readAllBytes(new File("src/test/resources/safelyResolve/oas20SafeUrlResolvingWithPetstore.yaml").toPath()), "UTF-8");
+        JsonNode jsonNodeSwagger = Yaml.mapper().readValue(yaml, JsonNode.class);
+
+        ParseOptions parseOptions = new ParseOptions();
+        parseOptions.setResolve(false);
+        parseOptions.setSafelyResolveURL(true);
+        List<String> allowList = Collections.emptyList();
+        List<String> blockList = Arrays.asList("petstore3.swagger.io");
+        parseOptions.setRemoteRefAllowList(allowList);
+        parseOptions.setRemoteRefBlockList(blockList);
+
+        new SwaggerParser().read(jsonNodeSwagger, null, parseOptions);
+    }
+
+    @Test(description = "Test safe resolving with localhost and blocked url")
+    public void test20SafeURLResolvingWithLocalhostAndBlockedURL() throws IOException {
+        String yaml = new String(Files.readAllBytes(new File("src/test/resources/safelyResolve/oas20SafeUrlResolvingWithLocalhost.yaml").toPath()), "UTF-8");
+        JsonNode jsonNodeSwagger = Yaml.mapper().readValue(yaml, JsonNode.class);
+
+        ParseOptions parseOptions = new ParseOptions();
+        parseOptions.setResolve(true);
+        parseOptions.setSafelyResolveURL(true);
+        List<String> allowList = Collections.emptyList();
+        List<String> blockList = Arrays.asList("petstore.swagger.io");
+        parseOptions.setRemoteRefAllowList(allowList);
+        parseOptions.setRemoteRefBlockList(blockList);
+
+        assertThrows(RuntimeException.class, () -> {
+            new SwaggerParser().read(jsonNodeSwagger, null, parseOptions);
+        });    }
+
+    @Test(description = "Test safe resolving with localhost url")
+    public void test20SafeURLResolvingWithLocalhost() throws IOException {
+        String yaml = new String(Files.readAllBytes(new File("src/test/resources/safelyResolve/oas20SafeUrlResolvingWithLocalhost.yaml").toPath()), "UTF-8");
+        JsonNode jsonNodeSwagger = Yaml.mapper().readValue(yaml, JsonNode.class);
+
+        ParseOptions parseOptions = new ParseOptions();
+        parseOptions.setResolve(true);
+        parseOptions.setSafelyResolveURL(true);
+        List<String> allowList = Collections.emptyList();
+        List<String> blockList = Collections.emptyList();
+        parseOptions.setRemoteRefAllowList(allowList);
+        parseOptions.setRemoteRefBlockList(blockList);
+
+        assertThrows(RuntimeException.class, () -> {
+            new SwaggerParser().read(jsonNodeSwagger, null, parseOptions);
+        });
+    }
 }
diff --git a/...s/swagger-parser/src/test/resources/safelyResolve/oas20SafeUrlResolvingWithLocalhost.yaml b/...s/swagger-parser/src/test/resources/safelyResolve/oas20SafeUrlResolvingWithLocalhost.yaml
@@ -0,0 +1,26 @@
+swagger: '2.0'
+info:
+  version: "1.0.0"
+  title: ssrf-test
+
+consumes:
+  - application/json
+produces:
+  - application/json
+paths:
+  /devices:
+    get:
+      operationId: getDevices
+      responses:
+        '200':
+          description: All the devices
+          schema:
+            $ref: 'http://localhost/example'
+  /pets:
+    get:
+      operationId: getPets
+      responses:
+        '200':
+          description: All the pets
+          schema:
+            $ref: 'https://petstore.swagger.io/v2/swagger.json'
diff --git a/...es/swagger-parser/src/test/resources/safelyResolve/oas20SafeUrlResolvingWithPetstore.yaml b/...es/swagger-parser/src/test/resources/safelyResolve/oas20SafeUrlResolvingWithPetstore.yaml
@@ -0,0 +1,26 @@
+swagger: '2.0'
+info:
+  version: "1.0.0"
+  title: ssrf-test
+
+consumes:
+  - application/json
+produces:
+  - application/json
+paths:
+  /devices:
+    get:
+      operationId: getDevices
+      responses:
+        '200':
+          description: All the devices
+          schema:
+            $ref: 'https://petstore3.swagger.io/api/v3/openapi.json'
+  /pets:
+    get:
+      operationId: getPets
+      responses:
+        '200':
+          description: All the pets
+          schema:
+            $ref: 'https://petstore.swagger.io/v2/swagger.json'