feat(oas3): validate parameter name according to location (#213)

Author: klokane

packages/fury-adapter-oas3-parser/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Fury OAS3 Parser Changelog
 
+## master
+
+### Enhancements
+
+- validate 'Parameter object' 'name' according to location ('in' parmaeter)
+
 ## 0.7.3 (2019-04-05)
 
 ### Bug Fixes

packages/fury-adapter-oas3-parser/lib/parser/oas/parseParameterObject.js

@@ -29,8 +29,15 @@ const isSupportedIn = R.anyPass([
 ]);
 
 const unreservedCharacterRegex = /^[A-z0-9\\.\\_\\~\\-]+$/;
-function nameContainsReservedCharacter(member) {
-  return !unreservedCharacterRegex.test(member.value.toValue());
+const reservedHeaderNamesRegex = /Accept|Content-Type|Authorization/i;
+
+const encodeQueryName = name => encodeURIComponent(name)
+  .replace(/[!'()*]/g, c => `%${c.charCodeAt(0).toString(16).toUpperCase()}`) //  as sugested by https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent#Description
+  .replace(/%25([0-9a-f]{2})/gi, (match, hex) => `%${hex}`); // revert double encoded sequences
+
+
+function nameContainsReservedCharacter(parameter) {
+  return !unreservedCharacterRegex.test(parameter.get('name').toValue());
 }
 
 function validateRequiredForPathParameter(context, object, parameter) {
@@ -81,14 +88,7 @@ function parseParameterObject(context, object) {
     validateIn,
     ensureSupportedIn);
 
-  const createUnsupportedNameError = R.compose(
-    createError(namespace, `'${name}' 'name' contains unsupported characters. Only alphanumeric characters are currently supported`),
-    getValue
-  );
-  const validateName = R.when(nameContainsReservedCharacter, createUnsupportedNameError);
-  const parseName = pipeParseResult(namespace,
-    parseString(context, name, true),
-    validateName);
+  const parseName = pipeParseResult(namespace, parseString(context, name, true));
 
   const parseMember = R.cond([
     [hasKey('name'), parseName],
@@ -106,11 +106,34 @@ function parseParameterObject(context, object) {
     [R.T, createInvalidMemberWarning(namespace, name)],
   ]);
 
-  const isPathParameter = parameter => parameter.getValue('in') === 'path';
+  const createUnsupportedNameError = createError(namespace, `'${name}' 'name' contains unsupported characters. Only alphanumeric characters are currently supported`);
+
+  const createReservedHeaderNamesWarning = createWarning(namespace, `'${name}' 'name' in location 'header' should not be 'Accept', 'Content-Type' or 'Authorization'`);
+
+  const hasLocation = R.curry((location, parameter) => parameter.getValue('in') === location);
+
+  const validatePathName = R.when(nameContainsReservedCharacter, createUnsupportedNameError);
+
+  const nameContainsReservedHeaderName = parameter => parameter.get('name')
+    .toValue()
+    .match(reservedHeaderNamesRegex);
+
+  const sanitizeQueryName = (parameter) => {
+    const name = parameter.get('name');
+    name.content = encodeQueryName(name.toValue());
+    return parameter;
+  };
+
+  const validateHeaderName = pipeParseResult(namespace,
+    R.when(nameContainsReservedCharacter, createUnsupportedNameError),
+    R.when(nameContainsReservedHeaderName, createReservedHeaderNamesWarning));
 
   const parseParameter = pipeParseResult(namespace,
     parseObject(context, name, parseMember, requiredKeys),
-    R.when(isPathParameter, R.curry(validateRequiredForPathParameter)(context, object)),
+    R.when(hasLocation('path'), R.curry(validateRequiredForPathParameter)(context, object)),
+    R.when(hasLocation('path'), validatePathName),
+    R.when(hasLocation('query'), sanitizeQueryName),
+    R.when(hasLocation('header'), validateHeaderName),
     (parameter) => {
       const example = parameter.get('example');
       const member = new namespace.elements.Member(parameter.get('name'), example);

packages/fury-adapter-oas3-parser/test/unit/parser/oas/parseOperationObject-test.js

@@ -384,9 +384,9 @@ describe('Operation Object', () => {
         const operation = new namespace.elements.Member('get', {
           parameters: [
             {
-              name: 'Accept',
+              name: 'X-RateLimit-Limit',
               in: 'header',
-              example: 'application/json',
+              example: 3,
             },
           ],
           responses: {
@@ -410,8 +410,8 @@ describe('Operation Object', () => {
         expect(request.headers).to.be.instanceof(namespace.elements.HttpHeaders);
         expect(request.headers.toValue()).to.deep.equal([
           {
-            key: 'Accept',
-            value: 'application/json',
+            key: 'X-RateLimit-Limit',
+            value: 3,
           },
         ]);
       });
@@ -439,7 +439,9 @@ describe('Operation Object', () => {
 
         const parseResult = parse(context, path, operation);
 
-        expect(parseResult.length).to.equal(1);
+        expect(parseResult.length).to.equal(2);
+
+        expect(parseResult).to.contain.warning('\'Parameter Object\' \'name\' in location \'header\' should not be \'Accept\', \'Content-Type\' or \'Authorization\'');
 
         const transition = parseResult.get(0);
         expect(transition).to.be.instanceof(namespace.elements.Transition);
@@ -459,11 +461,6 @@ describe('Operation Object', () => {
       it('merges headers with operation headers', () => {
         const operation = new namespace.elements.Member('post', {
           parameters: [
-            {
-              name: 'Content-Type',
-              in: 'header',
-              example: 'application/json',
-            },
             {
               name: 'Link',
               in: 'header',

packages/fury-adapter-oas3-parser/test/unit/parser/oas/parseParameterObject-test.js

@@ -36,12 +36,11 @@ describe('Parameter Object', () => {
     it('provides an error when name contains unsupported characters', () => {
       const parameter = new namespace.elements.Object({
         name: 'hello!',
-        in: 'query',
+        in: 'path',
       });
 
       const parseResult = parse(context, parameter);
 
-      expect(parseResult.length).to.equal(1);
       expect(parseResult).to.contain.error("'Parameter Object' 'name' contains unsupported characters. Only alphanumeric characters are currently supported");
     });
 
@@ -62,6 +61,92 @@ describe('Parameter Object', () => {
       expect(parseResult.get(0)).to.be.instanceof(namespace.elements.Member);
       expect(parseResult.get(0).key.toValue()).to.equal(unreserved);
     });
+
+    it('auto pct-encode reserved chars in query name', () => {
+      const reserved = '!*\'();:@&=+$,?%#[]';
+      const encoded = '%21%2A%27%28%29%3B%3A%40%26%3D%2B%24%2C%3F%25%23%5B%5D';
+
+      const parameter = new namespace.elements.Object({
+        name: reserved,
+        in: 'query',
+      });
+
+      const parseResult = parse(context, parameter);
+
+      expect(parseResult.length).to.equal(1);
+      expect(parseResult.get(0)).to.be.instanceof(namespace.elements.Member);
+      expect(parseResult.get(0).key.toValue()).to.equal(encoded);
+    });
+
+    it('avoid double encoding pct-encode in query name', () => {
+      const input = 'user%5bname%5d';
+
+      const parameter = new namespace.elements.Object({
+        name: input,
+        in: 'query',
+      });
+
+      const parseResult = parse(context, parameter);
+
+      expect(parseResult.length).to.equal(1);
+      expect(parseResult.get(0)).to.be.instanceof(namespace.elements.Member);
+      expect(parseResult.get(0).key.toValue()).to.equal(input);
+    });
+
+    it('allows header name to contain unreserved characters', () => {
+      const alpha = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+      const digit = '0123456789';
+      const unreserved = `${alpha}${digit}-._~`;
+
+      const parameter = new namespace.elements.Object({
+        name: unreserved,
+        in: 'header',
+      });
+
+      const parseResult = parse(context, parameter);
+
+      expect(parseResult.length).to.equal(1);
+      expect(parseResult.get(0)).to.be.instanceof(namespace.elements.Member);
+      expect(parseResult.get(0).key.toValue()).to.equal(unreserved);
+    });
+
+    describe('headers name do not allows reserved words', () => {
+      it('does not allow `Accept`', () => {
+        const parameter = new namespace.elements.Object({
+          name: 'accept',
+          in: 'header',
+        });
+
+        const parseResult = parse(context, parameter);
+
+        expect(parseResult.length).to.equal(1);
+        expect(parseResult).to.contain.warning('\'Parameter Object\' \'name\' in location \'header\' should not be \'Accept\', \'Content-Type\' or \'Authorization\'');
+      });
+
+      it('does not allow `Content-Type`', () => {
+        const parameter = new namespace.elements.Object({
+          name: 'Content-Type',
+          in: 'header',
+        });
+
+        const parseResult = parse(context, parameter);
+
+        expect(parseResult.length).to.equal(1);
+        expect(parseResult).to.contain.warning('\'Parameter Object\' \'name\' in location \'header\' should not be \'Accept\', \'Content-Type\' or \'Authorization\'');
+      });
+
+      it('does not allow `Authorization', () => {
+        const parameter = new namespace.elements.Object({
+          name: 'AUTHORIZATION',
+          in: 'header',
+        });
+
+        const parseResult = parse(context, parameter);
+
+        expect(parseResult.length).to.equal(1);
+        expect(parseResult).to.contain.warning('\'Parameter Object\' \'name\' in location \'header\' should not be \'Accept\', \'Content-Type\' or \'Authorization\'');
+      });
+    });
   });
 
   describe('#in', () => {

packages/fury-adapter-oas3-parser/test/unit/parser/oas/parsePathItemObject-test.js

@@ -290,9 +290,9 @@ describe('Path Item Object', () => {
         const path = new namespace.elements.Member('/', {
           parameters: [
             {
-              name: 'Accept',
+              name: 'X-RateLimit-Limit',
               in: 'header',
-              example: 'application/json',
+              example: 3,
             },
           ],
           get: {
@@ -318,8 +318,8 @@ describe('Path Item Object', () => {
         expect(request.headers).to.be.instanceof(namespace.elements.HttpHeaders);
         expect(request.headers.toValue()).to.deep.equal([
           {
-            key: 'Accept',
-            value: 'application/json',
+            key: 'X-RateLimit-Limit',
+            value: 3,
           },
         ]);
       });
@@ -328,17 +328,17 @@ describe('Path Item Object', () => {
         const path = new namespace.elements.Member('/', {
           parameters: [
             {
-              name: 'Accept',
+              name: 'X-RateLimit-Limit',
               in: 'header',
-              example: 'application/json',
+              example: 3,
             },
           ],
           get: {
             parameters: [
               {
-                name: 'Accept',
+                name: 'X-RateLimit-Limit',
                 in: 'header',
-                example: 'application/problem+json',
+                example: 5,
               },
             ],
             responses: {
@@ -363,8 +363,8 @@ describe('Path Item Object', () => {
         expect(request.headers).to.be.instanceof(namespace.elements.HttpHeaders);
         expect(request.headers.toValue()).to.deep.equal([
           {
-            key: 'Accept',
-            value: 'application/problem+json',
+            key: 'X-RateLimit-Limit',
+            value: 5,
           },
         ]);
       });
@@ -373,9 +373,9 @@ describe('Path Item Object', () => {
         const path = new namespace.elements.Member('/', {
           parameters: [
             {
-              name: 'Accept',
+              name: 'X-RateLimit-Limit',
               in: 'header',
-              example: 'application/json',
+              example: 3,
             },
           ],
           get: {
@@ -412,8 +412,8 @@ describe('Path Item Object', () => {
             value: '<https://api.github.com/user/repos?page=3&per_page=100>; rel="next"',
           },
           {
-            key: 'Accept',
-            value: 'application/json',
+            key: 'X-RateLimit-Limit',
+            value: 3,
           },
         ]);
       });