Redocly/redoc
1
1
Fork 0
mirror of https://github.com/Redocly/redoc.git synced 2024-11-25 01:53:44 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix: add hard limit on deref depth to prevent crashes

Browse Source
This commit is contained in:
Roman Hotsiy 2022-09-05 22:04:33 -05:00 committed by Alex Varchuk
parent bb325d0d28
commit ddde105aca
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/services/OpenAPIParser.ts
View File

@ -5,6 +5,8 @@ import { JsonPointer } from '../utils/JsonPointer';
import { RedocNormalizedOptions } from './RedocNormalizedOptions'; import { RedocNormalizedOptions } from './RedocNormalizedOptions';
import type { MergedOpenAPISchema } from './types'; import type { MergedOpenAPISchema } from './types';
const MAX_DEREF_DEPTH = 999; // prevent circular detection crashes by adding hard limit on deref depth
/** /**
* Loads and keeps spec. Provides raw spec operations * Loads and keeps spec. Provides raw spec operations
*/ */
@ -103,7 +105,7 @@ export class OpenAPIParser {
} }
let refsStack = baseRefsStack; let refsStack = baseRefsStack;
if (baseRefsStack.includes(obj.$ref)) { if (baseRefsStack.includes(obj.$ref) || baseRefsStack.length > MAX_DEREF_DEPTH) {
resolved = Object.assign({}, resolved, { 'x-circular-ref': true }); resolved = Object.assign({}, resolved, { 'x-circular-ref': true });
} else if (this.isRef(resolved)) { } else if (this.isRef(resolved)) {
const res = this.deref(resolved, baseRefsStack, mergeAsAllOf); const res = this.deref(resolved, baseRefsStack, mergeAsAllOf);