Merge branch 'v1' into Converting_Yes_No_On_Off_enum_values_without_q…

…uotes_to_booleans_problem

.github/workflows/maven-v1.yml

@@ -31,13 +31,20 @@ jobs:
       - name: Build with Maven, Deploy snapshot to maven central
         run: |
           mvn --no-transfer-progress -B verify --file pom.xml
-          export MY_POM_VERSION=`mvn -q -Dexec.executable="echo" -Dexec.args='${projects.version}' --non-recursive org.codehaus.mojo:exec-maven-plugin:1.3.1:exec`
-          echo "POM VERSION" ${MY_POM_VERSION}
-          if [[ $MY_POM_VERSION =~ ^.*SNAPSHOT$ ]];
+          export MY_JAVA_VERSION=`java -version 2>&1 | head -1 | cut -d'"' -f2 | sed '/^1\./s///' | cut -d'.' -f1`
+          echo "JAVA VERSION" ${MY_JAVA_VERSION}
+          if [[ ${MY_JAVA_VERSION} == "8" ]];
           then
-              mvn --no-transfer-progress -B clean deploy
+            export MY_POM_VERSION=`mvn -q -Dexec.executable="echo" -Dexec.args='${projects.version}' --non-recursive org.codehaus.mojo:exec-maven-plugin:1.3.1:exec`
+            echo "POM VERSION" ${MY_POM_VERSION}
+            if [[ $MY_POM_VERSION =~ ^.*SNAPSHOT$ ]];
+            then
+                mvn --no-transfer-progress -B clean deploy
+            else
+                echo "not deploying release: " ${MY_POM_VERSION}
+            fi
           else
-              echo "not deploying release: " ${MY_POM_VERSION}
+            echo "not deploying on java version: " ${MY_JAVA_VERSION}
           fi
         env:
           MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}

.github/workflows/next-snapshot-v1.yml

@@ -20,10 +20,10 @@ jobs:
       uses: actions/setup-python@v2
       with:
         python-version: 2.7
-    - name: Set up Java 8
+    - name: Set up Java 11
       uses: actions/setup-java@v1
       with:
-        java-version: 8
+        java-version: 11
         server-id: ossrh
         server-username: MAVEN_USERNAME
         server-password: MAVEN_PASSWORD
@@ -67,7 +67,7 @@ jobs:
       run: |
         . ./CI/post-nextsnap-v1.sh
     - name: Create Next Snapshot Pull Request
-      uses: peter-evans/create-pull-request@v2
+      uses: peter-evans/create-pull-request@v4
       if: env.RELEASE_OK == 'yes'
       with:
         token: ${{ steps.generate-token.outputs.token }}

.github/workflows/prepare-release-v1.yml

@@ -16,10 +16,10 @@ jobs:
       with:
         app_id: ${{ secrets.APP_ID }}
         private_key: ${{ secrets.APP_PRIVATE_KEY }}
-    - name: Set up Python 2.7
-      uses: actions/setup-python@v2
+    - name: Set up Python 3.10
+      uses: actions/setup-python@v4
       with:
-        python-version: 2.7
+        python-version: '3.10'
     - name: Set up Java 8
       uses: actions/setup-java@v1
       with:
@@ -49,7 +49,7 @@ jobs:
         echo "SC_VERSION=$SC_VERSION" >> $GITHUB_ENV
         echo "SC_NEXT_VERSION=$SC_NEXT_VERSION" >> $GITHUB_ENV
     - name: Create Prepare Release Pull Request
-      uses: peter-evans/create-pull-request@v2
+      uses: peter-evans/create-pull-request@v4
       if: env.PREPARE_RELEASE_OK == 'yes'
       with:
         token: ${{ steps.generate-token.outputs.token }}

.github/workflows/release-v1.yml

@@ -16,10 +16,10 @@ jobs:
       with:
         app_id: ${{ secrets.APP_ID }}
         private_key: ${{ secrets.APP_PRIVATE_KEY }}
-    - name: Set up Python 2.7
-      uses: actions/setup-python@v2
+    - name: Set up Python 3.10
+      uses: actions/setup-python@v4
       with:
-        python-version: 2.7
+        python-version: '3.10'
     - name: Set up Java 8
       uses: actions/setup-java@v1
       with:
@@ -71,7 +71,7 @@ jobs:
       run: |
         . ./CI/post-release-v1.sh
     - name: Create Next Snapshot Pull Request
-      uses: peter-evans/create-pull-request@v2
+      uses: peter-evans/create-pull-request@v4
       if: env.RELEASE_OK == 'yes'
       with:
         token: ${{ steps.generate-token.outputs.token }}

CI/ghApiClient.py

@@ -2,8 +2,8 @@
 
 import os
 import time
-import urllib2
-import httplib
+import urllib.request, urllib.error, urllib.parse
+import http.client
 import json
 
 GH_BASE_URL = "https://api.github.com/"
@@ -13,46 +13,47 @@
 
 def readUrl(name):
     try:
-        request = urllib2.Request(GH_BASE_URL + name)
+        request = urllib.request.Request(GH_BASE_URL + name)
         request.add_header("Authorization", GH_AUTH)
-        content = urllib2.urlopen(request).read()
+        content = urllib.request.urlopen(request).read()
         jcont = json.loads(content)
-        return jcont;
-    except urllib2.HTTPError, e:
-        print 'HTTPError = ' + str(e.code)
+        return jcont
+    except urllib.error.HTTPError as e:
+        print(('HTTPError = ' + str(e.code)))
         raise e
-    except urllib2.URLError, e:
-        print 'URLError = ' + str(e.reason)
+    except urllib.error.URLError as e:
+        print(('URLError = ' + str(e.reason)))
         raise e
-    except httplib.HTTPException, e:
-        print 'HTTPException = ' + str(e)
+    except http.client.HTTPException as e:
+        print(('HTTPException = ' + str(e)))
         raise e
     except Exception:
         import traceback
-        print 'generic exception: ' + traceback.format_exc()
+        print(('generic exception: ' + traceback.format_exc()))
         raise IOError
 
 def postUrl(name, body):
     global GH_BASE_URL
     try:
         time.sleep(0.05)
-        request = urllib2.Request(GH_BASE_URL + name)
+        request = urllib.request.Request(GH_BASE_URL + name)
         request.add_header("Authorization", GH_AUTH)
         request.add_header("Accept", "application/vnd.github.v3+json")
-        content = urllib2.urlopen(request, body).read()
+        data = body.encode('utf-8')
+        content = urllib.request.urlopen(request, data).read()
         jcont = json.loads(content)
-        return jcont;
-    except urllib2.HTTPError, e:
-        print 'HTTPError = ' + str(e.code)
-        print str(e)
+        return jcont
+    except urllib.error.HTTPError as e:
+        print(('HTTPError = ' + str(e.code)))
+        print((str(e)))
         raise e
-    except urllib2.URLError, e:
-        print 'URLError = ' + str(e.reason)
+    except urllib.error.URLError as e:
+        print(('URLError = ' + str(e.reason)))
         raise e
-    except httplib.HTTPException, e:
-        print 'HTTPException = ' + str(e)
+    except http.client.HTTPException as e:
+        print(('HTTPException = ' + str(e)))
         raise e
     except Exception:
         import traceback
-        print 'generic exception: ' + traceback.format_exc()
+        print(('generic exception: ' + traceback.format_exc()))
         raise IOError

CI/lastReleaseV1.py

@@ -13,7 +13,8 @@ def getLastReleaseTag():
 # main
 def main():
     result = getLastReleaseTag()
-    print result
+    print(result)
 
 # here start main
 main()
+

CI/publishReleaseV1.py

@@ -25,3 +25,4 @@ def main(tag):
 
 # here start main
 main(sys.argv[1])
+

CI/releaseNotesV1.py

@@ -12,13 +12,13 @@ def allPulls(releaseDate):
     baseurl = "https://api.github.com/repos/swagger-api/swagger-parser/pulls/"
     content = ghApiClient.readUrl('repos/swagger-api/swagger-parser/pulls?state=closed&base=v1&per_page=100')
     for l in content:
-      stripped = l["url"][len(baseurl):]
-      mergedAt = l["merged_at"]
-      if mergedAt is not None:
-          if datetime.strptime(mergedAt, '%Y-%m-%dT%H:%M:%SZ') > releaseDate:
-              if not l['title'].startswith("bump snap"):
-                result += '\n'
-                result += "* " + l['title'] + " (#" + stripped + ")"
+        stripped = l["url"][len(baseurl):]
+        mergedAt = l["merged_at"]
+        if mergedAt is not None:
+            if datetime.strptime(mergedAt, '%Y-%m-%dT%H:%M:%SZ') > releaseDate:
+                if not l['title'].startswith("bump snap"):
+                    result += '\n'
+                    result += "* " + l['title'] + " (#" + stripped + ")"
     return result
 
 
@@ -49,3 +49,4 @@ def main(last_release, release_title, tag):
 
 # here start main
 main(sys.argv[1], sys.argv[2], sys.argv[3])
+

README.md

@@ -118,7 +118,7 @@ You can include this library from Sonatype OSS for SNAPSHOTS, or Maven central f
 <dependency>
   <groupId>io.swagger</groupId>
   <artifactId>swagger-parser</artifactId>
-  <version>1.0.59</version>
+  <version>1.0.69</version>
 </dependency>
 
 ```
@@ -128,7 +128,7 @@ To add swagger parsing support for older versions of swagger, add the `compat` m
 <dependency>
   <groupId>io.swagger</groupId>
   <artifactId>swagger-compat-spec-parser</artifactId>
-  <version>1.0.59</version>
+  <version>1.0.69</version>
 </dependency>
 
 ```

modules/swagger-compat-spec-parser/pom.xml

@@ -4,7 +4,7 @@
     <parent>
         <groupId>io.swagger</groupId>
         <artifactId>swagger-parser-project</artifactId>
-        <version>1.0.60-SNAPSHOT</version>
+        <version>1.0.70-SNAPSHOT</version>
         <relativePath>../..</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>
@@ -62,7 +62,7 @@
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
             <artifactId>httpclient</artifactId>
-            <version>4.5.13</version>
+            <version>4.5.14</version>
         </dependency>
         <dependency>
             <groupId>org.jmockit</groupId>

modules/swagger-parser-safe-url-resolver/README.md

@@ -0,0 +1,71 @@
+# Swagger Parser Safe URL Resolver
+
+The `swagger-parser-safe-url-resolver` is a library used for verifying that the hostname of URLs does not resolve to a private/restricted IPv4/IPv6 address range.     
+This library can be used in services that deal with user-submitted URLs that get fetched (like in swagger-parser when resolving external URL $refs) to protect against Server-Side Request Forgery and DNS rebinding attacks.
+
+## How does it work?  
+The main class of the package is the `PermittedUrlsChecker` which has one method: `verify(String url)`.  
+This method takes in a string URL and performs the following steps:
+
+1. Gets the hostname portion from the URL  
+2. Resolves the hostname to an IP address
+3. Checks if that IP address is in a private/restricted IP address range (and throws an exception if it is)
+4. Returns a `ResolvedUrl` object which contains   
+  4.1. `String url` where the original URL has the hostname replaced with the IP address  
+  4.2. A `String hostHeader` which contains the hostname from the original URL to be added as a host header  
+
+This behavior can also be customized with the allowlist and denylist in the constructor, whereby:
+
+- An entry in the allowlist will allow the URL to pass even if it resolves to a private/restricted IP address
+- An entry in the denylist will throw an exception even when the URL resolves to a public IP address
+
+## Installation
+Add the following to you `pom.xml` file under `dependencies`
+```xml
+<dependency>
+    <groupId>io.swagger.parser.v3</groupId>
+    <artifactId>swagger-parser-safe-url-resolver</artifactId>
+    // version of swagger-parser being used
+    <version>2.1.14</version> 
+</dependency>
+```
+
+## Example usage
+
+```java
+import io.swagger.v3.parser.urlresolver.PermittedUrlsChecker;
+import io.swagger.v3.parser.urlresolver.exceptions.HostDeniedException;
+import io.swagger.v3.parser.urlresolver.models.ResolvedUrl;
+
+import java.util.List;
+
+public class Main {
+    public static void main() {
+        List<String> allowlist = List.of("mysite.local");
+        List<String> denylist = List.of("*.example.com:443");
+        var checker = new PermittedUrlsChecker(allowlist, denylist);
+
+        try {
+            // Will throw a HostDeniedException as `localhost`  
+            // resolves to local IP and is not in allowlist
+            checker.verify("http://localhost/example");
+
+            // Will return a ResolvedUrl if `github.com` 
+            // resolves to a public IP
+            checker.verify("https://github.com/swagger-api/swagger-parser");
+
+            // Will throw a HostDeniedException as `*.example.com` is 
+            // explicitly deny listed, even if it resolves to public IP
+            checker.verify("https://subdomain.example.com/somepage");
+
+            // Will return a `ResolvedUrl` as `mysite.local` 
+            // is explicitly allowlisted
+            ResolvedUrl resolvedUrl = checker.verify("http://mysite.local/example");
+            System.out.println(resolvedUrl.getUrl()); // "http://127.0.0.1/example"
+            System.out.println(resolvedUrl.getHostHeader()); // "mysite.local"
+        } catch (HostDeniedException e) {
+            e.printStackTrace();
+        }
+    }
+}
+```

modules/swagger-parser-safe-url-resolver/pom.xml

@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <groupId>io.swagger</groupId>
+        <artifactId>swagger-parser-project</artifactId>
+        <version>1.0.70-SNAPSHOT</version>
+        <relativePath>../..</relativePath>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>swagger-parser-safe-url-resolver</artifactId>
+    <packaging>jar</packaging>
+    <name>swagger-parser-safe-url-resolver</name>
+    <dependencies>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>${commons-io-version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-simple</artifactId>
+            <version>${slf4j-version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.testng</groupId>
+            <artifactId>testng</artifactId>
+            <version>${testng-version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>${junit-version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.jmockit</groupId>
+            <artifactId>jmockit</artifactId>
+            <version>${jmockit-version}</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>