networknt / openapi-parser Goto Github PK
View Code? Open in Web Editor NEWA light-weight, fast OpenAPI 3.0 parser and validator with minimum third party dependencies
License: Eclipse Public License 1.0
A light-weight, fast OpenAPI 3.0 parser and validator with minimum third party dependencies
License: Eclipse Public License 1.0
Lower version of Jackson has CVE-2017-17485 deserialization flaw that is found by one of our customers during security scanning.
It was introduced due to an unmatched release from Jackson core and it is not necessary now.
During the refactoring, I have removed the service dependency and it needs to be rolled back.
We send message of spec1 and message validates. When we send another message, a new OpenApiValidator object is created for spec2, but the message fails to validate.
OpenApiHelper is implemented as a singleton
Since json-overlay is released along with light-4j so we are going to use light-4j version for all networknt dependencies.
This is for the light-gateway case to allow validation for the adm endpoints.
The current pom depends on the older unmaintained javax.mail
namespace
(Even though the README says this project does not depend on javax.mail)
<dependency>
<groupId>com.sun.mail</groupId>
<artifactId>javax.mail</artifactId>
<version>${version.javamail}</version>
</dependency>
<version.javamail>1.6.2</version.javamail>
I think we should either remove this dependency (to stay true to the README) or update to use the currently maintained jakarta.mail
namespace
<dependency>
<artifactId>jakarta.mail</artifactId>
<groupId>com.sun.mail</groupId>
</dependency>
to handle the specification upload event. For each event, we need to reset the specification to parse the endpoints.
The KaiZen-OpenApi-Parser documentation sounds as if the "resolutionBase" can be left empty if the OAS3 is fully self-contained and no relative references are used:
https://github.com/RepreZen/KaiZen-OpenApi-Parser/blob/master/API-Overview.md
OpenApi3 parse(String model, URL resolutionBase) - parse a JSON or YAML string, with the given URL used for resolving any relative references encountered in the model. If resolutionBase is null, relative references will all fail resolution.
But calling the parse method without a resolutionBase leads to a NullPointerException:
java.lang.NullPointerException: Cannot invoke "java.net.URL.toString()" because "this.docUrl" is null
at com.networknt.jsonoverlay.ReferenceManager.getDocReference(ReferenceManager.java:62)
at com.networknt.oas.OpenApiParser.parse(OpenApiParser.java:95)
at com.networknt.oas.OpenApiParser.parse(OpenApiParser.java:85)
at com.networknt.oas.OpenApiParser.parse(OpenApiParser.java:35)
at com.networknt.oas.OpenApi3Parser.parse(OpenApi3Parser.java:29)
at com.networknt.oas.OpenApi3Parser.parse(OpenApi3Parser.java:1)
at com.networknt.oas.OpenApiParser.parse(OpenApiParser.java:28)
at com.networknt.oas.OpenApi3Parser.parse(OpenApi3Parser.java:24)
at com.networknt.oas.StringParseTest.testSelfContainedOasSpec(StringParseTest.java:57)
Here is a short test that I wrote:
public class StringParseTest {
private final static String testTitle = "Test Title";
private final static String testPath = "/test";
private final String oas3String = //
"openapi: 3.0.0\n" //
+ "info:\n" //
+ " title: " + testTitle + "\n" //
+ " description: This is a description\n" //
+ " version: 1.0.0\n" //
+ "servers:\n" //
+ " - url: https://localhost:8080\n" //
+ "paths:\n" //
+ " " + testPath + ":\n" //
+ " get:\n" //
+ " description: Some endpoint\n" //
+ " operationId: testOps\n" //
+ " responses:\n" //
+ " '200':\n" //
+ " description: Successful operation\n";
@Test
public void testSelfContainedOasSpec() throws Exception {
// no need to pass a resolutionBase since the spec is self contained
OpenApi3 oas3 = new OpenApi3Parser().parse(this.oas3String, null);
assertEquals(testTitle, oas3.getInfo().getTitle());
Map<String, Path> paths = oas3.getPaths();
assertEquals(1, paths.size());
assertEquals("/test", paths.entrySet().iterator().next().getKey());
}
}
Please also note that this is only one issue. It looks like there are more issues if I try to load more complicated OAS3 specs, like for instance here:
@Test
public void testYamlFileAsString() throws Exception {
ClassLoader classLoader = ClassLoader.getSystemClassLoader();
String oas3String;
try (InputStream is = classLoader.getResourceAsStream("models/circular.yaml")) {
assertNotNull(is);
try (InputStreamReader isr = new InputStreamReader(is); BufferedReader reader = new BufferedReader(isr)) {
oas3String = reader.lines().collect(Collectors.joining(System.lineSeparator()));
}
}
assertNotNull(oas3String);
OpenApi3 oas3 = new OpenApi3Parser().parse(oas3String, null);
// check oas3 object ...
}
The target repo has switched the default branch to the main from the master.
WARNING]
[WARNING] Some problems were encountered while building the effective model for com.networknt:openapi-parser:jar:1.5.5
[WARNING] 'build.plugins.plugin.version' for org.apache.maven.plugins:maven-deploy-plugin is missing.
[WARNING]
[WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
[WARNING]
[WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
[WARNING]
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.