Release new version (#221)

steffstefferson · web-flow · commit e9617d10d19f · 2024-11-15T10:45:44.000+01:00
diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
 <p align='right'>A <a href="https://developer.post.ch/">swisspost</a> project <a href="https://developer.post.ch/" border=0><img align="top"  src='https://avatars.githubusercontent.com/u/92710854?s=32&v=4'></a></p>
 <p align="center">
   <img src="https://cloud.githubusercontent.com/assets/692124/21751899/37cc152c-d5cf-11e6-97ac-a5811f48c070.png"/>
-</p>
+</p> 
 
 # Apikana
 
diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "apikana",
-  "version": "0.11.0",
+  "version": "0.11.1",
   "description": "Integrated tools for REST API design - ｱﾋﾟ",
   "main": "index.js",
   "bin": {
diff --git a/src/deps/helper.js b/src/deps/helper.js
@@ -29,14 +29,18 @@ $ = function (f) {
 
     Handlebars.templates.signature = Handlebars.compile('{{sanitize signature}}');
 
-    var url = "../model/openapi/api.yaml";
-    if(window.location.search !="?url="+url) {
-        window.location.search = "?url="+url;
-    }
+    var url = new URL(window.location).searchParams.get('url')
+    
     if (!url) {
         alert('Please specify the API to display using the "url" query parameter.\nE.g. ' + location.origin + location.pathname + '?url=/src/openapi/api.yaml');
         return;
     }
+   
+    var fallbackUrl = "../model/openapi/api.yaml";
+    if(!isValidUrl(url)) {
+        window.location.search = "?url="+fallbackUrl;
+    }
+
     if (!window.fetch) {
         alert('Please use a Browser.\nIt should at least support "fetch".');
         return;
@@ -112,6 +116,22 @@ $ = function (f) {
         )
     }
 
+    function isValidUrl(referencedUrl){
+        // must be relative url
+        if(!referencedUrl.startsWith('../')){
+            return false;
+        }
+        // only allow referencing max two parent directories
+        var matches = referencedUrl.match(/\.\.\//g);
+        if(matches && matches.length > 2){
+            return false;
+        }
+
+        // additional check
+        var referencedAbsoluteUrl = getAbsoluteUrl(referencedUrl)
+        return new URL(referencedAbsoluteUrl).origin == new URL(location.href).origin
+    }
+
     function isLocalSchema(models, schema) {
         return _.any(models, function (m) {
             return normalize(schema.extra.filename) === normalize(m);

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "apikana",`
`3`		`- "version": "0.11.0",`
	`3`	`+ "version": "0.11.1",`
`4`	`4`	`"description": "Integrated tools for REST API design - ｱﾋﾟ",`
`5`	`5`	`"main": "index.js",`
`6`	`6`	`"bin": {`