Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Bump io.swagger.codegen.version from 2.4.11 to 2.4.21 #131

Open
wants to merge 1 commit into
base: api-history-2
Choose a base branch
from
Open

[Security] Bump io.swagger.codegen.version from 2.4.11 to 2.4.21 #131

wants to merge 1 commit into from

Conversation

dependabot-preview[bot]
Copy link

Bumps io.swagger.codegen.version from 2.4.11 to 2.4.21.
Updates swagger-codegen from 2.4.11 to 2.4.21 This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Generator Web Application: Local Privilege Escalation Vulnerability via System Temp Directory

Impact

On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory.

This vulnerability is local privilege escalation because the contents of the outputFolder can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.

Java Code

The method File.createTempFile from the JDK is vulnerable to this local information disclosure vulnerability.

https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185

Patches

Fix has been applied to the master branch with:

included in release: 2.4.19

... (truncated)

Affected versions: < 2.4.19

Sourced from The GitHub Security Advisory Database.

Generated Code Contains Local Information Disclosure Vulnerability

Impact

This vulnerability impacts generated code. If this code was generated as a one-off occasion, not as a part of an automated CI/CD process, this code will remain vulnerable until fixed manually!

On Unix-Like systems, the system temporary directory is shared between all local users. When files/directories are created, the default umask settings for the process are respected. As a result, by default, most processes/apis will create files/directories with the permissions -rw-r--r-- and drwxr-xr-x respectively, unless an API that explicitly sets safe file permissions is used.

Java Code

The method File.createTempFile from the JDK is vulnerable to this local information disclosure vulnerability.

Patches

Fix has been applied to the master branch with:

... (truncated)

Affected versions: < 2.4.19

Release notes

Sourced from swagger-codegen's releases.

Swagger Codegen 2.4.21 has been released!

  • removed all non valid characters on project name (#11072)
  • fixes high memory consumption for big specs (#11071)
  • added missed data annotation on model properties (#11070)
  • fixed typo on README (#11050)
  • added option to allow use kebab file naming for typescript-angular (#11048)
  • Update readme file - add an entry companies list (#11017)
  • added option to change case for python generator. (#11019)
  • Fix code generation for Angular 10 (#10464)

Swagger Codegen 2.4.20 has been released!

[JavaSpring] Fixed Issue 9250 - Codegen for file datatype (#9490)

  • ref CVE-2020-25649 - jackson 2.11.4 (#10926)
  • added option to write a throwing exception for unknown enums values. (#10356)
  • Add new additional-property ignoreUnknownJacksonAnnotation to add a class level annotation @​JsonIgnoreProperties(ignoreUnknown = true) (#10953)
  • [Python] Fix #10948 wrong mode opened file fixed (#10949)
  • Go deni issue 10948 (#10957)
  • [go] object to interface code generator should never generate an interface pointer (#10932)
  • Fix code generation for Angular 10 (#10464)
  • Write mustache template to generate Protocol Oriented class file from swagger for Swift5 (#10868)
  • Update README.md (#10923)

Swagger Codegen 2.4.19 has been released!

  • ref CVE-2020-25649 - jackson 2.11.4 (#10926)
  • [csharp] masked EnumMember value in modelEnum (#8129)
  • Generator updates: sample updates and fixes (#10924)
  • Add option modelPropertyNaming to javascript generator (#8086)
  • #10125 fix DefaultCodegen parsing to handle 'uniqueItems' flag (#10154)
  • Fix code generation for Angular 10 (#10464)
  • added actions for dotnet, java and js generators (#10869)
  • added docker file for go-server generator (#10863)
  • added missed validated annotation. (#10856)
  • added option to skip client validaton (#10847)
  • Deprecate InlineModelResolver (#10841)

Swagger Codegen 2.4.18 has been released!

  • #9808 - Dart double cast (#9809)
  • Update dependencies and samples (#10044)
  • Configure WhiteSource for GitHub.com (#10593)
  • Issue 10516 (#10576)
  • fix CVE-2020-27216 - bump jetty version (#10568)
  • updated model inner enum template for java generator (#10567)
  • Enum values issue (#10563)
  • add info object extensions to additional property map (#10557)
  • updated parser version and required porperty from composed model (#10549)

Swagger Codegen 2.4.17 has been released!

  • added option to check duplicated model names. (#10529)
  • [Issue 9178] Handle multiple formats when decoding dates (#9730)
  • added @​Valid annotation on bean validation template for java jaxrs (#10519)

... (truncated)

Commits
  • 9058a5e Merge pull request #11073 from swagger-api/prepare-release-2.4.21
  • dc805f7 prepare release 2.4.21
  • a5627c0 Merge pull request #11072 from swagger-api/swos-240
  • 053ebca removed all non valid characters on project name
  • ca87148 Merge pull request #11071 from swagger-api/fix-oom
  • 7109d2e fixes high memory consumption for big specs
  • f2b5afe Merge pull request #11070 from swagger-api/aspnet-data-annotation
  • 7b389af added missed data annotation on model properties
  • 7aa0f4c Merge pull request #11058 from swagger-api/gh-php
  • ba74ea4 GH actions - fix PHP in test-generation-v2
  • Additional commits viewable in compare view

Updates swagger-codegen-maven-plugin from 2.4.11 to 2.4.21

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview
[Security] Bump io.swagger.codegen.version from 2.4.11 to 2.4.21
436b169 
Bumps `io.swagger.codegen.version` from 2.4.11 to 2.4.21.

Updates `swagger-codegen` from 2.4.11 to 2.4.21
- [Release notes](https://github.com/swagger-api/swagger-codegen/releases)
- [Commits](swagger-api/swagger-codegen@v2.4.11...v2.4.21)

Updates `swagger-codegen-maven-plugin` from 2.4.11 to 2.4.21

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Jun 29, 2021
@dependabot-preview dependabot-preview bot mentioned this pull request Jun 29, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants