Skip to content

feat: add sdk.params option #1927

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

feat: add sdk.params option #1927

wants to merge 4 commits into from

Conversation

mrlubos
Copy link
Member

@mrlubos mrlubos commented Apr 8, 2025
edited
Loading

Related to #926

TODO

  • move headers to params
  • add documentation
  • add snapshots
  • update/add example using flattened
  • make sure previous build works with required never (need to use OmitNever)
  • add param mapper
  • create map of SDK params (so it's easy to know if they're required and where they "fit", this will be important in positional arguments)
  • finally, make sure the SDK passes typecheck (params aren't currently used at all, and there's a mismatch with required/optional arguments due to above)

@stackblitz StackBlitz
Copy link

stackblitz bot commented Apr 8, 2025

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Apr 8, 2025
edited
Loading

🦋 Changeset detected

Latest commit: f8b592e

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 18 packages
Name Type
@hey-api/openapi-ts Patch
@hey-api/client-custom Minor
@hey-api/client-axios Minor
@hey-api/client-fetch Minor
@hey-api/client-core Minor
@hey-api/client-next Minor
@hey-api/client-nuxt Minor
@example/openapi-ts-axios Patch
@example/openapi-ts-fastify Patch
@example/openapi-ts-fetch Patch
@example/openapi-ts-next Patch
@example/openapi-ts-sample Patch
@example/openapi-ts-tanstack-angular-query-experimental Patch
@example/openapi-ts-tanstack-react-query Patch
@example/openapi-ts-tanstack-svelte-query Patch
@example/openapi-ts-tanstack-vue-query Patch
@hey-api/nuxt Patch
@example/openapi-ts-nuxt Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel Vercel
Copy link

vercel bot commented Apr 8, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
hey-api-docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Apr 13, 2025 11:16pm

@mrlubos mrlubos changed the title feat: add sdk.params option feat: add sdk.params option Apr 8, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 12, 2025
View reviewed changes
packages/client-core/src/params.ts
if (config.key) {
const field = map.get(config.key)!;
const name = field.map || config.key;
(params[field.in] as Record<string, unknown>)[name] = arg;

Check warning

Code scanning / CodeQL

Prototype-polluting assignment Medium

This assignment may alter Object.prototype if a malicious '__proto__' string is injected from
library input
Loading
.

Copilot Autofix

AI 3 days ago

To fix the prototype pollution issue, we need to ensure that special property names like __proto__, constructor, and prototype are not used as keys in the params object. This can be achieved by adding a check before assigning values to the params object.

The best way to fix the problem without changing existing functionality is to add a validation step to filter out these special property names. This can be done by modifying the code in the buildClientParams function.

Suggested changeset 1
packages/client-core/src/params.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/client-core/src/params.ts b/packages/client-core/src/params.ts
--- a/packages/client-core/src/params.ts
+++ b/packages/client-core/src/params.ts
@@ -101,3 +101,5 @@
         const name = field.map || config.key;
-        (params[field.in] as Record<string, unknown>)[name] = arg;
+        if (name !== '__proto__' && name !== 'constructor' && name !== 'prototype') {
+          (params[field.in] as Record<string, unknown>)[name] = arg;
+        }
       } else {
@@ -111,3 +113,5 @@
           const name = field.map || key;
-          (params[field.in] as Record<string, unknown>)[name] = value;
+          if (name !== '__proto__' && name !== 'constructor' && name !== 'prototype') {
+            (params[field.in] as Record<string, unknown>)[name] = value;
+          }
         } else {
@@ -119,5 +123,6 @@
             const [prefix, slot] = extra;
-            (params[slot] as Record<string, unknown>)[
-              key.slice(prefix.length)
-            ] = value;
+            const name = key.slice(prefix.length);
+            if (name !== '__proto__' && name !== 'constructor' && name !== 'prototype') {
+              (params[slot] as Record<string, unknown>)[name] = value;
+            }
           } else {
@@ -127,3 +132,5 @@
               if (allowed) {
-                (params[slot as Slot] as Record<string, unknown>)[key] = value;
+                if (key !== '__proto__' && key !== 'constructor' && key !== 'prototype') {
+                  (params[slot as Slot] as Record<string, unknown>)[key] = value;
+                }
                 break;
EOF
@@ -101,3 +101,5 @@
const name = field.map || config.key;
(params[field.in] as Record<string, unknown>)[name] = arg;
if (name !== '__proto__' && name !== 'constructor' && name !== 'prototype') {
(params[field.in] as Record<string, unknown>)[name] = arg;
}
} else {
@@ -111,3 +113,5 @@
const name = field.map || key;
(params[field.in] as Record<string, unknown>)[name] = value;
if (name !== '__proto__' && name !== 'constructor' && name !== 'prototype') {
(params[field.in] as Record<string, unknown>)[name] = value;
}
} else {
@@ -119,5 +123,6 @@
const [prefix, slot] = extra;
(params[slot] as Record<string, unknown>)[
key.slice(prefix.length)
] = value;
const name = key.slice(prefix.length);
if (name !== '__proto__' && name !== 'constructor' && name !== 'prototype') {
(params[slot] as Record<string, unknown>)[name] = value;
}
} else {
@@ -127,3 +132,5 @@
if (allowed) {
(params[slot as Slot] as Record<string, unknown>)[key] = value;
if (key !== '__proto__' && key !== 'constructor' && key !== 'prototype') {
(params[slot as Slot] as Record<string, unknown>)[key] = value;
}
break;
Copilot is powered by AI and may make mistakes. Always verify output.
packages/client-core/src/params.ts

if (field) {
const name = field.map || key;
(params[field.in] as Record<string, unknown>)[name] = value;

Check warning

Code scanning / CodeQL

Prototype-polluting assignment Medium

This assignment may alter Object.prototype if a malicious '__proto__' string is injected from
library input
Loading
.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mrlubos