Validate the api key 'in' attribute is cookie header or query.

stefan521 · frantuma · commit 056774ff7382 · 2024-04-03T18:19:19.000+02:00
diff --git a/modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/util/OpenAPIDeserializer.java b/modules/swagger-parser-v3/src/main/java/io/swagger/v3/parser/util/OpenAPIDeserializer.java
@@ -2426,6 +2426,10 @@ public SecurityScheme getSecurityScheme(ObjectNode node, String location, ParseR
 				.filter(in -> in.toString().equals(securitySchemeIn))
 				.findFirst();
 
+		if (inRequired && securitySchemeIn != null && !matchingIn.isPresent()) {
+			result.invalidType(location, "in", "cookie|header|query", node);
+		}
+
 		securityScheme.setIn(matchingIn.orElse(null));
 
 		value = getString("scheme", node, schemeRequired, location, result);
diff --git a/modules/swagger-parser-v3/src/test/java/io/swagger/v3/parser/util/OpenAPIDeserializerTest.java b/modules/swagger-parser-v3/src/test/java/io/swagger/v3/parser/util/OpenAPIDeserializerTest.java
@@ -491,6 +491,59 @@ public void testSecurityDefinitionWithMissingAttribute() {
         assertTrue(messages.contains("attribute components.securitySchemes.api_key.type is missing"));
     }
 
+    @Test
+    public void testSecurityDefinitionApiKeyWithMissingAttributeIn() {
+        String yaml = "openapi: 3.0.0\n" +
+                "components:\n" +
+                "  securitySchemes:\n" +
+                "    api_key:\n" +
+                "      type: apiKey\n" +
+                "      name: X-API-KEY";
+
+        OpenAPIV3Parser parser = new OpenAPIV3Parser();
+        SwaggerParseResult result = parser.readContents(yaml, null, null);
+        List<String> messageList = result.getMessages();
+        Set<String> messages = new HashSet<>(messageList);
+
+        assertTrue(messages.contains("attribute components.securitySchemes.api_key.in is missing"));
+    }
+
+    @Test
+    public void testSecurityDefinitionApiKeyWithInvalidAttributeIn() {
+        String yaml = "openapi: 3.0.0\n" +
+                "components:\n" +
+                "  securitySchemes:\n" +
+                "    api_key:\n" +
+                "      type: apiKey\n" +
+                "      name: X-API-KEY\n" +
+                "      in: cukie";
+
+        OpenAPIV3Parser parser = new OpenAPIV3Parser();
+        SwaggerParseResult result = parser.readContents(yaml, null, null);
+        List<String> messageList = result.getMessages();
+        Set<String> messages = new HashSet<>(messageList);
+
+        assertTrue(messages.contains("attribute components.securitySchemes.api_key.in is not of type `cookie|header|query`"));
+    }
+
+    @Test
+    public void testSecurityDefinitionApiKeyValid() {
+        String yaml = "openapi: 3.0.0\n" +
+                "components:\n" +
+                "  securitySchemes:\n" +
+                "    api_key:\n" +
+                "      type: apiKey\n" +
+                "      name: X-API-KEY\n" +
+                "      in: cookie";
+
+        OpenAPIV3Parser parser = new OpenAPIV3Parser();
+        SwaggerParseResult result = parser.readContents(yaml, null, null);
+        List<String> messageList = result.getMessages();
+        Set<String> messages = new HashSet<>(messageList);
+
+        assertFalse(messages.contains("attribute components.securitySchemes.api_key.in is not of type `cookie|header|query`"));
+    }
+
     @Test
     public void testRootInfo() {
         String json = "{\n" +
