Release new version (#221)

swisspost · Nov 15, 2024 · e9617d1 · e9617d1
2 parents ea41f84 + cf62581
commit e9617d1
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
 <p align='right'>A <a href="https://developer.post.ch/">swisspost</a> project <a href="https://developer.post.ch/" border=0><img align="top"  src='https://avatars.githubusercontent.com/u/92710854?s=32&v=4'></a></p>
 <p align="center">
   <img src="https://cloud.githubusercontent.com/assets/692124/21751899/37cc152c-d5cf-11e6-97ac-a5811f48c070.png"/>
-</p>
+</p> 
 
 # Apikana
 

diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "apikana",
-  "version": "0.11.0",
+  "version": "0.11.1",
   "description": "Integrated tools for REST API design - ｱﾋﾟ",
   "main": "index.js",
   "bin": {

diff --git a/src/deps/helper.js b/src/deps/helper.js
@@ -29,14 +29,18 @@ $ = function (f) {
 
     Handlebars.templates.signature = Handlebars.compile('{{sanitize signature}}');
 
-    var url = "../model/openapi/api.yaml";
-    if(window.location.search !="?url="+url) {
-        window.location.search = "?url="+url;
-    }
+    var url = new URL(window.location).searchParams.get('url')
+
     if (!url) {
         alert('Please specify the API to display using the "url" query parameter.\nE.g. ' + location.origin + location.pathname + '?url=/src/openapi/api.yaml');
         return;
     }
+
+    var fallbackUrl = "../model/openapi/api.yaml";
+    if(!isValidUrl(url)) {
+        window.location.search = "?url="+fallbackUrl;
+    }
+
     if (!window.fetch) {
         alert('Please use a Browser.\nIt should at least support "fetch".');
         return;
@@ -112,6 +116,22 @@ $ = function (f) {
         )
     }
 
+    function isValidUrl(referencedUrl){
+        // must be relative url
+        if(!referencedUrl.startsWith('../')){
+            return false;
+        }
+        // only allow referencing max two parent directories
+        var matches = referencedUrl.match(/\.\.\//g);
+        if(matches && matches.length > 2){
+            return false;
+        }
+
+        // additional check
+        var referencedAbsoluteUrl = getAbsoluteUrl(referencedUrl)
+        return new URL(referencedAbsoluteUrl).origin == new URL(location.href).origin
+    }
+
     function isLocalSchema(models, schema) {
         return _.any(models, function (m) {
             return normalize(schema.extra.filename) === normalize(m);