⚠️ Vulnerability (all versions): Unescaped characters from description

Question

⚠️ Vulnerability (all versions): Unescaped characters from description

Opened this issue 4 months ago · 4 comments

generates broken ts file if description in swagger file containes forward slash */ like in this example **/information**

...
      summary: Get service point file of all Nordic countries (SE,FI,DK,NO).
      description: |-
        Get service point file of all Nordic countries (SE,FI,DK,NO) from S3 storage. You can download previous service point file upto 7 days from current date. This is equivalent to **/information** endpoint with parameters `countryCode:SE,FI,DK,NO` and `context:ALL` and header `Accept-Encoding:gzip`.

        Download the file using the URL in reponse.
...

Answer 1 · 2025-08-08T12:39:53.000Z

Looks like I can inject some javascript using swagger docs only by adding something in a description: **/ alert(12) /**
So this issue can be converted to a security issue

Answer 2 · 2025-08-08T12:42:31.000Z

Quick patch using patch-package can by applied

swagger-typescript-api+13.2.7.patch

Answer 3 · 2025-08-08T12:54:45.000Z

@smorimoto - take a look please

Answer 4 · 2025-08-08T14:01:38.000Z

The same issues go to any other place, like summary, name, tags and so on