[Slim] Injection into host or basePath breaks server

[ybelenko]

Description

Injection into host and basePath breaks Slim server.

openapi-generator version

3.2.1-SNAPSHOT

OpenAPI declaration file content or url

host: petstore.swagger.io */ ' " =end -- \r\n \n \r
basePath: /v2 */ ' " =end -- \r\n \n \r
tags:
  - name: fake
    description: Everything about your Pets */ ' " =end -- \r\n \n \r
    externalDocs:
      description: Find out more */ ' " =end -- \r\n \n \r
      url: 'https://openapis.org'
schemes:
  - http */ ' " =end -- \r\n \n \r

Command line used for generation

$ bin/security/php-slim-server-petstore.sh

Steps to reproduce

$ bin/security/php-slim-server-petstore.sh

then

$ php -l samples/server/petstore-security-test/php-slim/lib/SlimRouter.php

Parse error: syntax error, unexpected '\' (T_NS_SEPARATOR), expecting ',' or ')' in samples/
server/petstore-security-test/php-slim/lib/SlimRouter.php on line 71

Errors parsing samples/server/petstore-security-test/php-slim/lib/SlimRouter.php

Related issues/PRs

Suggest a fix/enhancement

Any solution could work:

• Escape quotes in {{{basePathWithoutHost}}} and {{{path}}}
• Strip out quotes from {{{basePathWithoutHost}}} and {{{path}}}
• Throw warning when {{{basePathWithoutHost}}} and {{{path}}} contains invalid chars

[ybelenko]

After small investigation, I've found that double quote " is escaped in both variables, but single quote ' isn't escaped.

Of course, I can change my mustache template to use double quotes:

"{{{basePathWithoutHost}}}{{{path}}}", {{classname}}::class . ":{{operationId}}"

or even use encoded mustache variables:

'{{basePathWithoutHost}}{{path}}', {{classname}}::class . ':{{operationId}}'

But it's a half-measure because user can write own template and encounter the same issue over and over again.

I think best solution is to escape single quote within basePathWithoutHost and path properties somewhere in AbstractPhpCodegen.