Merge pull request #2330 from microsoft/fix/additional-security

baywet · web-flow · commit 57ad85f17b1c · 2025-04-17T09:10:36.000-04:00
fix/additional security
diff --git a/src/Microsoft.OpenApi/Models/OpenApiParameter.cs b/src/Microsoft.OpenApi/Models/OpenApiParameter.cs
@@ -165,50 +165,25 @@ internal void SerializeInternal(IOpenApiWriter writer, OpenApiSpecVersion versio
 
             writer.WriteEndObject();
         }
-
-        /// <inheritdoc/>
-        public void SerializeAsV2(IOpenApiWriter writer)
+        /// <summary>
+        /// Write the "in" property for V2 serialization.
+        /// </summary>
+        /// <param name="writer">Writer to use for the serialization</param>
+        internal virtual void WriteInPropertyForV2(IOpenApiWriter writer)
         {
-            Utils.CheckArgumentNull(writer);
-
-            writer.WriteStartObject();
-
-            // in
-            if (this is OpenApiFormDataParameter)
-            {
-                writer.WriteProperty(OpenApiConstants.In, "formData");
-            }
-            else if (this is OpenApiBodyParameter)
-            {
-                writer.WriteProperty(OpenApiConstants.In, "body");
-            }
-            else
-            {
-                writer.WriteProperty(OpenApiConstants.In, In?.GetDisplayName());
-            }
-
-            // name
-            writer.WriteProperty(OpenApiConstants.Name, Name);
-
-            // description
-            writer.WriteProperty(OpenApiConstants.Description, Description);
-
-            // required
-            writer.WriteProperty(OpenApiConstants.Required, Required, false);
-
-            // deprecated
-            writer.WriteProperty(OpenApiConstants.Deprecated, Deprecated, false);
-
-            var extensionsClone = Extensions is not null ? new Dictionary<string, IOpenApiExtension>(Extensions) : null;
+            writer.WriteProperty(OpenApiConstants.In, In?.GetDisplayName());
+        }
 
-            // schema
-            if (this is OpenApiBodyParameter)
-            {
-                writer.WriteOptionalObject(OpenApiConstants.Schema, Schema, (w, s) => s.SerializeAsV2(w));
-            }
+        /// <summary>
+        /// Write the request body schema for V2 serialization.
+        /// </summary>
+        /// <param name="writer">Writer to use for the serialization</param>
+        /// <param name="extensionsClone">Extensions clone</param>
+        internal virtual void WriteRequestBodySchemaForV2(IOpenApiWriter writer, Dictionary<string, IOpenApiExtension>? extensionsClone)
+        {
             // In V2 parameter's type can't be a reference to a custom object schema or can't be of type object
             // So in that case map the type as string.
-            else if (Schema is OpenApiSchemaReference { UnresolvedReference: true } || (Schema?.Type & JsonSchemaType.Object) == JsonSchemaType.Object)
+            if (Schema is OpenApiSchemaReference { UnresolvedReference: true } || (Schema?.Type & JsonSchemaType.Object) == JsonSchemaType.Object)
             {
                 writer.WriteProperty(OpenApiConstants.Type, "string");
             }
@@ -270,7 +245,34 @@ public void SerializeAsV2(IOpenApiWriter writer)
                     }
                 }
             }
+        }
+
+        /// <inheritdoc/>
+        public void SerializeAsV2(IOpenApiWriter writer)
+        {
+            Utils.CheckArgumentNull(writer);
+
+            writer.WriteStartObject();
+
+            // in
+            WriteInPropertyForV2(writer);
 
+            // name
+            writer.WriteProperty(OpenApiConstants.Name, Name);
+
+            // description
+            writer.WriteProperty(OpenApiConstants.Description, Description);
+
+            // required
+            writer.WriteProperty(OpenApiConstants.Required, Required, false);
+
+            // deprecated
+            writer.WriteProperty(OpenApiConstants.Deprecated, Deprecated, false);
+
+            var extensionsClone = Extensions is not null ? new Dictionary<string, IOpenApiExtension>(Extensions) : null;
+
+            // schema
+            WriteRequestBodySchemaForV2(writer, extensionsClone);
             //examples
             if (Examples != null && Examples.Any())
             {
@@ -315,12 +317,24 @@ public IOpenApiParameter CreateShallowCopy()
     /// </summary>
     internal class OpenApiBodyParameter : OpenApiParameter
     {
+        internal override void WriteRequestBodySchemaForV2(IOpenApiWriter writer, Dictionary<string, IOpenApiExtension>? extensionsClone)
+        {
+            writer.WriteOptionalObject(OpenApiConstants.Schema, Schema, (w, s) => s.SerializeAsV2(w));
+        }
+        internal override void WriteInPropertyForV2(IOpenApiWriter writer)
+        {
+            writer.WriteProperty(OpenApiConstants.In, "body");
+        }
     }
 
     /// <summary>
     /// Form parameter class to propagate information needed for <see cref="OpenApiParameter.SerializeAsV2"/>
     /// </summary>
     internal class OpenApiFormDataParameter : OpenApiParameter
     {
+        internal override void WriteInPropertyForV2(IOpenApiWriter writer)
+        {
+            writer.WriteProperty(OpenApiConstants.In, "formData");
+        }
     }
 }
diff --git a/src/Microsoft.OpenApi/Writers/FormattingStreamWriter.cs b/src/Microsoft.OpenApi/Writers/FormattingStreamWriter.cs
@@ -19,12 +19,13 @@ public class FormattingStreamWriter : StreamWriter
         public FormattingStreamWriter(Stream stream, IFormatProvider formatProvider)
             : base(stream)
         {
-            this.FormatProvider = formatProvider;
+            _formatProvider = formatProvider;
         }
+        private readonly IFormatProvider _formatProvider;
 
         /// <summary>
         /// The <see cref="IFormatProvider"/> associated with this <see cref="FormattingStreamWriter"/>.
         /// </summary>
-        public override IFormatProvider FormatProvider { get; }
+        public override IFormatProvider FormatProvider { get => _formatProvider; }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -19,12 +19,13 @@ public class FormattingStreamWriter : StreamWriter`
`19`	`19`	`public FormattingStreamWriter(Stream stream, IFormatProvider formatProvider)`
`20`	`20`	`: base(stream)`
`21`	`21`	`{`
`22`		`- this.FormatProvider = formatProvider;`
	`22`	`+ _formatProvider = formatProvider;`
`23`	`23`	`}`
	`24`	`+ private readonly IFormatProvider _formatProvider;`
`24`	`25`
`25`	`26`	`/// <summary>`
`26`	`27`	`/// The <see cref="IFormatProvider"/> associated with this <see cref="FormattingStreamWriter"/>.`
`27`	`28`	`/// </summary>`
`28`		`- public override IFormatProvider FormatProvider { get; }`
	`29`	`+ public override IFormatProvider FormatProvider { get => _formatProvider; }`
`29`	`30`	`}`
`30`	`31`	`}`