Skip to content

Commit

Permalink
fix: add hard limit on deref depth to prevent crashes
Browse files Browse the repository at this point in the history
  • Loading branch information
@RomanHotsiy @AlexVarchuk
RomanHotsiy authored and AlexVarchuk committed Sep 6, 2022
1 parent bb325d0 commit ddde105
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion src/services/OpenAPIParser.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ import { JsonPointer } from '../utils/JsonPointer';
import { RedocNormalizedOptions } from './RedocNormalizedOptions';
import type { MergedOpenAPISchema } from './types';

const MAX_DEREF_DEPTH = 999; // prevent circular detection crashes by adding hard limit on deref depth

/**
* Loads and keeps spec. Provides raw spec operations
*/
Expand Down Expand Up @@ -103,7 +105,7 @@ export class OpenAPIParser {
}

let refsStack = baseRefsStack;
if (baseRefsStack.includes(obj.$ref)) {
if (baseRefsStack.includes(obj.$ref) || baseRefsStack.length > MAX_DEREF_DEPTH) {
resolved = Object.assign({}, resolved, { 'x-circular-ref': true });
} else if (this.isRef(resolved)) {
const res = this.deref(resolved, baseRefsStack, mergeAsAllOf);
Expand Down

0 comments on commit ddde105

Please sign in to comment.