Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix dangerous destructuration in typescript-nestjs services #20157

Merged
merged 5 commits into from
Dec 3, 2024

Conversation

GregoryMerlet
Copy link
Contributor

Closes #20156

PR checklist

  • Read the contribution guidelines.
  • Pull Request title clearly describes the work in the pull request and Pull Request description provides details about how to validate the work. Missing information here may result in delayed response from the community.
  • Run the following to build the project and update samples:
    ./mvnw clean package || exit
    ./bin/generate-samples.sh ./bin/configs/*.yaml || exit
    ./bin/utils/export_docs_generators.sh || exit
    
    (For Windows users, please run the script in Git BASH)
    Commit all changed files.
    This is important, as CI jobs will verify all generator outputs of your HEAD commit as it would merge with master.
    These must match the expectations made by your contribution.
    You may regenerate an individual generator by passing the relevant config(s) as an argument to the script, for example ./bin/generate-samples.sh bin/configs/java*.
    IMPORTANT: Do NOT purge/delete any folders/files (e.g. tests) when regenerating the samples as manually written tests may be removed.
  • File the PR against the correct branch: master (upcoming 7.x.0 minor release - breaking changes with fallbacks), 8.0.x (breaking changes without fallbacks)
  • If your PR is targeting a particular programming language, @mention the technical committee members, so they are more likely to review the pull request.

TypeScript committee members: @TiFu (2017/07) @taxpon (2017/07) @sebastianhaas (2017/07) @kenisteward (2017/07) @Vrolijkx (2017/09) @macjohnny (2018/01) @topce (2018/10) @akehir (2019/07) @petejohansonxo (2019/11) @amakhrov (2020/02) @davidgamero (2022/03) @mkusaka (2022/04) @joscha (2024/10)

Copy link
Contributor

@joscha joscha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add an example resource that shows this behavior and ideally also fails the type check if this is ever broken again? I think this is quite fragile and from time to time people might destructure without thinking about reserved names, so it would be good to cover it with a resource that has some reserved words as parameters?

@GregoryMerlet
Copy link
Contributor Author

GregoryMerlet commented Nov 21, 2024

@joscha I've updated with a new sample that should break in case of destructuration. Let me know if there's more to add/change 😃

* @type {string}
* @memberof DefaultServiceTestReservedParamNames
*/
readonly from: string
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these not expected to be quoted? I think some other models also use a sanitized name prefixed with a _ - @macjohnny ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure to understand what you mean by quoted here

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, like this: https://stackoverflow.com/questions/43124403/is-there-a-way-to-escape-and-use-reserved-words-in-typescript-class-definitions

And an example of the (automatically added) prefix: https://github.com/planet-a-ventures/affinity-node/blob/main/src%2Fv2%2Fgenerated%2Fmodels%2FEmail.ts#L33

You can see that the properties in the typescript generator are also all quoted by default.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added the quotes.
I saw how sanitized names works with the reservedWords Set, I'm not sure from should be considered as a reserved word here as it's not a problem anymore after the modifications. But if you confirm you want it added to the reservedWords I can add it

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in general its better to add to the reserved keywords instead of the modifications you suggest, since there are many places where variables are used, so the code change is rather extensive and complicates the templates.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the reserved keyword would be instead of the quotes, which will prefix the variable with an underscore, e.g. _from. however, for the model this makes it differ from what the server actually sends, so probably for the model the quotes are fine. i would suggest to keep this PR as small as possible and only fix one thing at a time, to make it easier to review

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From what I understand if we add it to the reserved keywords it will be changed in the model too. Or there is a way to get a non-sanitized name in the model ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you are right, adding to the reserved keywords changes it for the model as well. you could apply the same as in

{{#isReadOnly}}readonly {{/isReadOnly}}{{#hasSanitizedName}}'{{{baseName}}}'{{/hasSanitizedName}}{{^hasSanitizedName}}{{{name}}}{{/hasSanitizedName}}{{^required}}?{{/required}}: {{#isEnum}}{{{datatypeWithEnum}}}{{/isEnum}}{{^isEnum}}{{{dataType}}}{{/isEnum}}{{#isNullable}} | null{{/isNullable}};

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok thank you ! I will adapt my changes as soon as possible

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be better now 😃

@@ -106,7 +106,7 @@ export class {{classname}} {
{{#useSingleRequestParameter}}
const {
{{#allParams}}
{{paramName}},
{{#hasSanitizedName}}'{{{baseName}}}': {{/hasSanitizedName}}{{paramName}},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is not an object, but destructuring the request parameters, please revert this change

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know, it's to keep the request parameter with the original names while renaming the params in this method to avoid conflicts with existing properties.
In the end it looks like this :

const {
    notReserved,
    'from': _from,
    'headers': _headers,
} = requestParameters;

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah i see, i didnt know this is possible

@@ -265,6 +269,34 @@ private boolean isLanguageGenericType(String type) {
return false;
}

@Override
public List<CodegenParameter> fromRequestBodyToFormParameters(RequestBody body, Set<String> imports) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please separate this change of parameters into a separate PR. also, is there an easier way than to extends CodegenParameter?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was inpired by the typescript-fetch generator. If you know a better way to do it I can make the changes

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah i see. the risk is just that whenever new properties are added to the CodegenParameter, we will probably forget to add them here. can this be automated/avoided somehow?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see uses of param.vendorExtensions in others generators:

Do you think it would be a better approach as it doesn't require to extend CodegenParameter ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh that sounds compelling, yes please try if that works!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done ! It works as well 😃

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks!
are you motivated to also do that for the typescript-fetch generator in a separate PR?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mean using vendorExtensions instead of extending CodegenParameter ? Or keeping original names in requestParameters interfaces ? Or both maybe ? 😃

@macjohnny macjohnny merged commit cf78f10 into OpenAPITools:master Dec 3, 2024
27 checks passed
@GregoryMerlet GregoryMerlet deleted the fix_issue_20156 branch December 9, 2024 12:58
@wing328 wing328 added this to the 7.11.0 milestone Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[BUG][typescript-nestjs] Destructuring requestParameters break generated service
4 participants