From ddde105acaf0a77b0bb5d13df5fd6180bc8169e9 Mon Sep 17 00:00:00 2001 From: Roman Hotsiy Date: Mon, 5 Sep 2022 22:04:33 -0500 Subject: [PATCH] fix: add hard limit on deref depth to prevent crashes --- src/services/OpenAPIParser.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/services/OpenAPIParser.ts b/src/services/OpenAPIParser.ts index 84fdd677..61a755d5 100644 --- a/src/services/OpenAPIParser.ts +++ b/src/services/OpenAPIParser.ts @@ -5,6 +5,8 @@ import { JsonPointer } from '../utils/JsonPointer'; import { RedocNormalizedOptions } from './RedocNormalizedOptions'; import type { MergedOpenAPISchema } from './types'; +const MAX_DEREF_DEPTH = 999; // prevent circular detection crashes by adding hard limit on deref depth + /** * Loads and keeps spec. Provides raw spec operations */ @@ -103,7 +105,7 @@ export class OpenAPIParser { } let refsStack = baseRefsStack; - if (baseRefsStack.includes(obj.$ref)) { + if (baseRefsStack.includes(obj.$ref) || baseRefsStack.length > MAX_DEREF_DEPTH) { resolved = Object.assign({}, resolved, { 'x-circular-ref': true }); } else if (this.isRef(resolved)) { const res = this.deref(resolved, baseRefsStack, mergeAsAllOf);