Skip to content

feat: add sdk.params option #1927

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

feat: add sdk.params option #1927

wants to merge 6 commits into from

Conversation

mrlubos
Copy link
Member

@mrlubos mrlubos commented Apr 8, 2025
edited
Loading

Related to #926

TODO

  • move headers to params
  • add documentation
  • add snapshots
  • update/add example using flattened
  • make sure previous build works with required never (need to use OmitNever)
  • add param mapper
  • create map of SDK params (so it's easy to know if they're required and where they "fit", this will be important in positional arguments)
  • finally, make sure the SDK passes typecheck (params aren't currently used at all, and there's a mismatch with required/optional arguments due to above)

@bolt-new-by-stackblitz Bolt.new (by StackBlitz)
Copy link

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Apr 8, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 0cc8d17

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 18 packages
Name Type
@hey-api/openapi-ts Patch
@hey-api/client-custom Minor
@hey-api/client-axios Minor
@hey-api/client-fetch Minor
@hey-api/client-core Minor
@hey-api/client-next Minor
@hey-api/client-nuxt Minor
@example/openapi-ts-axios Patch
@example/openapi-ts-fastify Patch
@example/openapi-ts-fetch Patch
@example/openapi-ts-next Patch
@example/openapi-ts-sample Patch
@example/openapi-ts-tanstack-angular-query-experimental Patch
@example/openapi-ts-tanstack-react-query Patch
@example/openapi-ts-tanstack-svelte-query Patch
@example/openapi-ts-tanstack-vue-query Patch
@hey-api/nuxt Patch
@example/openapi-ts-nuxt Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel Vercel
Copy link

vercel bot commented Apr 8, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
hey-api-docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Apr 17, 2025 7:23pm

@mrlubos mrlubos changed the title feat: add sdk.params option feat: add sdk.params option Apr 8, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 12, 2025
View reviewed changes
packages/client-core/src/params.ts
if (config.key) {
const field = map.get(config.key)!;
const name = field.map || config.key;
(params[field.in] as Record<string, unknown>)[name] = arg;

Check warning

Code scanning / CodeQL

Prototype-polluting assignment Medium

This assignment may alter Object.prototype if a malicious '__proto__' string is injected from
library input
Loading
.

Copilot Autofix

AI 20 days ago

To fix the issue, we need to ensure that untrusted keys like __proto__, constructor, and prototype cannot be used as property names in the params object. This can be achieved by validating the name variable before assigning it to the params object. If the name variable contains a dangerous key, the assignment should be skipped or an error should be thrown.

The best way to implement this fix is to add a validation step before the assignment on line 102. We will check if name is one of the dangerous keys (__proto__, constructor, or prototype) and skip the assignment if it is.

Suggested changeset 1
packages/client-core/src/params.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/client-core/src/params.ts b/packages/client-core/src/params.ts
--- a/packages/client-core/src/params.ts
+++ b/packages/client-core/src/params.ts
@@ -101,2 +101,5 @@
         const name = field.map || config.key;
+        if (name === '__proto__' || name === 'constructor' || name === 'prototype') {
+          continue; // Skip dangerous keys
+        }
         (params[field.in] as Record<string, unknown>)[name] = arg;
EOF
@@ -101,2 +101,5 @@
const name = field.map || config.key;
if (name === '__proto__' || name === 'constructor' || name === 'prototype') {
continue; // Skip dangerous keys
}
(params[field.in] as Record<string, unknown>)[name] = arg;
Copilot is powered by AI and may make mistakes. Always verify output.
packages/client-core/src/params.ts

if (field) {
const name = field.map || key;
(params[field.in] as Record<string, unknown>)[name] = value;

Check warning

Code scanning / CodeQL

Prototype-polluting assignment Medium

This assignment may alter Object.prototype if a malicious '__proto__' string is injected from
library input
Loading
.
@mrlubos mrlubos mentioned this pull request Apr 16, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mrlubos