Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -680,7 +680,13 @@ class ApiClient:
:param auth_setting: auth settings for the endpoint
"""
if auth_setting['in'] == 'cookie':
headers['Cookie'] = auth_setting['value']
if not 'Cookie' in headers:
headers['Cookie'] = ""
else:
headers['Cookie'] += "; "
# Encode spaces and semicolons in cookie value, leaving other characters as-is
cookie_value = str(auth_setting['value']).replace(" ", "%20").replace(";", "%3B")
headers['Cookie'] += f"{auth_setting['key']}={cookie_value}"
elif auth_setting['in'] == 'header':
if auth_setting['type'] != 'http-signature':
headers[auth_setting['key']] = auth_setting['value']
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -673,7 +673,13 @@ def _apply_auth_params(
:param auth_setting: auth settings for the endpoint
"""
if auth_setting['in'] == 'cookie':
headers['Cookie'] = auth_setting['value']
if not 'Cookie' in headers:
headers['Cookie'] = ""
else:
headers['Cookie'] += "; "
# Encode spaces and semicolons in cookie value, leaving other characters as-is
cookie_value = str(auth_setting['value']).replace(" ", "%20").replace(";", "%3B")
headers['Cookie'] += f"{auth_setting['key']}={cookie_value}"
elif auth_setting['in'] == 'header':
if auth_setting['type'] != 'http-signature':
headers[auth_setting['key']] = auth_setting['value']
Expand Down
8 changes: 7 additions & 1 deletion samples/client/echo_api/python/openapi_client/api_client.py
Original file line number Diff line number Diff line change
Expand Up @@ -673,7 +673,13 @@ def _apply_auth_params(
:param auth_setting: auth settings for the endpoint
"""
if auth_setting['in'] == 'cookie':
headers['Cookie'] = auth_setting['value']
if not 'Cookie' in headers:
headers['Cookie'] = ""
else:
headers['Cookie'] += "; "
# Encode spaces and semicolons in cookie value, leaving other characters as-is
cookie_value = str(auth_setting['value']).replace(" ", "%20").replace(";", "%3B")
headers['Cookie'] += f"{auth_setting['key']}={cookie_value}"
elif auth_setting['in'] == 'header':
if auth_setting['type'] != 'http-signature':
headers[auth_setting['key']] = auth_setting['value']
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -675,7 +675,13 @@ def _apply_auth_params(
:param auth_setting: auth settings for the endpoint
"""
if auth_setting['in'] == 'cookie':
headers['Cookie'] = auth_setting['value']
if not 'Cookie' in headers:
headers['Cookie'] = ""
else:
headers['Cookie'] += "; "
# Encode spaces and semicolons in cookie value, leaving other characters as-is
cookie_value = str(auth_setting['value']).replace(" ", "%20").replace(";", "%3B")
headers['Cookie'] += f"{auth_setting['key']}={cookie_value}"
elif auth_setting['in'] == 'header':
if auth_setting['type'] != 'http-signature':
headers[auth_setting['key']] = auth_setting['value']
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -675,7 +675,13 @@ def _apply_auth_params(
:param auth_setting: auth settings for the endpoint
"""
if auth_setting['in'] == 'cookie':
headers['Cookie'] = auth_setting['value']
if not 'Cookie' in headers:
headers['Cookie'] = ""
else:
headers['Cookie'] += "; "
# Encode spaces and semicolons in cookie value, leaving other characters as-is
cookie_value = str(auth_setting['value']).replace(" ", "%20").replace(";", "%3B")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Cookie API key encoding only replaces spaces and semicolons, leaving other invalid or dangerous characters unescaped.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At samples/openapi3/client/petstore/python-httpx-sync/petstore_api/api_client.py, line 683:

<comment>Cookie API key encoding only replaces spaces and semicolons, leaving other invalid or dangerous characters unescaped.</comment>

<file context>
@@ -679,8 +679,8 @@ def _apply_auth_params(
-            # Account for cookie value containing spaces or being non-string value
-            cookie_value = quote(str(auth_setting['value']), safe='')
+            # Encode spaces and semicolons in cookie value, leaving other characters as-is
+            cookie_value = str(auth_setting['value']).replace(" ", "%20").replace(";", "%3B")
             headers['Cookie'] += f"{auth_setting['key']}={cookie_value}"
         elif auth_setting['in'] == 'header':
</file context>
Suggested change
cookie_value = str(auth_setting['value']).replace(" ", "%20").replace(";", "%3B")
cookie_value = quote(str(auth_setting['value']), safe='')

headers['Cookie'] += f"{auth_setting['key']}={cookie_value}"
elif auth_setting['in'] == 'header':
if auth_setting['type'] != 'http-signature':
headers[auth_setting['key']] = auth_setting['value']
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -675,7 +675,13 @@ def _apply_auth_params(
:param auth_setting: auth settings for the endpoint
"""
if auth_setting['in'] == 'cookie':
headers['Cookie'] = auth_setting['value']
if not 'Cookie' in headers:
headers['Cookie'] = ""
else:
headers['Cookie'] += "; "
# Encode spaces and semicolons in cookie value, leaving other characters as-is
cookie_value = str(auth_setting['value']).replace(" ", "%20").replace(";", "%3B")
headers['Cookie'] += f"{auth_setting['key']}={cookie_value}"
elif auth_setting['in'] == 'header':
if auth_setting['type'] != 'http-signature':
headers[auth_setting['key']] = auth_setting['value']
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -672,7 +672,13 @@ def _apply_auth_params(
:param auth_setting: auth settings for the endpoint
"""
if auth_setting['in'] == 'cookie':
headers['Cookie'] = auth_setting['value']
if not 'Cookie' in headers:
headers['Cookie'] = ""
else:
headers['Cookie'] += "; "
# Encode spaces and semicolons in cookie value, leaving other characters as-is
cookie_value = str(auth_setting['value']).replace(" ", "%20").replace(";", "%3B")
headers['Cookie'] += f"{auth_setting['key']}={cookie_value}"
elif auth_setting['in'] == 'header':
if auth_setting['type'] != 'http-signature':
headers[auth_setting['key']] = auth_setting['value']
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -672,7 +672,13 @@ def _apply_auth_params(
:param auth_setting: auth settings for the endpoint
"""
if auth_setting['in'] == 'cookie':
headers['Cookie'] = auth_setting['value']
if not 'Cookie' in headers:
headers['Cookie'] = ""
else:
headers['Cookie'] += "; "
# Encode spaces and semicolons in cookie value, leaving other characters as-is
cookie_value = str(auth_setting['value']).replace(" ", "%20").replace(";", "%3B")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Cookie API-key values are now under-encoded, allowing invalid/control/non-ASCII characters to be emitted raw in the Cookie header. The change from quote(str(auth_setting['value']), safe='') to str(auth_setting['value']).replace(" ", "%20").replace(";", "%3B") loses protection against control characters (tabs, CR, LF) and other special characters (double quotes, backslashes, commas) that are invalid or dangerous in HTTP header/cookie values.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At samples/openapi3/client/petstore/python/petstore_api/api_client.py, line 680:

<comment>Cookie API-key values are now under-encoded, allowing invalid/control/non-ASCII characters to be emitted raw in the `Cookie` header. The change from `quote(str(auth_setting['value']), safe='')` to `str(auth_setting['value']).replace(" ", "%20").replace(";", "%3B")` loses protection against control characters (tabs, CR, LF) and other special characters (double quotes, backslashes, commas) that are invalid or dangerous in HTTP header/cookie values.</comment>

<file context>
@@ -676,8 +676,8 @@ def _apply_auth_params(
-            # Account for cookie value containing spaces or being non-string value
-            cookie_value = quote(str(auth_setting['value']), safe='')
+            # Encode spaces and semicolons in cookie value, leaving other characters as-is
+            cookie_value = str(auth_setting['value']).replace(" ", "%20").replace(";", "%3B")
             headers['Cookie'] += f"{auth_setting['key']}={cookie_value}"
         elif auth_setting['in'] == 'header':
</file context>
Suggested change
cookie_value = str(auth_setting['value']).replace(" ", "%20").replace(";", "%3B")
# Encode spaces, semicolons, and control/special characters in cookie value
cookie_value = quote(str(auth_setting['value']), safe='')

headers['Cookie'] += f"{auth_setting['key']}={cookie_value}"
elif auth_setting['in'] == 'header':
if auth_setting['type'] != 'http-signature':
headers[auth_setting['key']] = auth_setting['value']
Expand Down
Loading