Fix JSDoc comment security vulnerability: escape only necessary */ sequences

Open FDiskas opened this issue 4 months ago • 4 comments

vibe coded PR

closes #1321

This PR fixes a security vulnerability where unescaped characters in OpenAPI/Swagger descriptions could break generated TypeScript files or enable code injection attacks. The fix uses minimal escaping - only escaping the dangerous */ sequences while leaving harmless /* sequences unescaped to reduce noise in generated documentation.

Problem

Vulnerable input example:

description: "This endpoint is equivalent to **/information** endpoint"
summary: "Get data with **/ alert('XSS') /** injection attempt"

Generated vulnerable output:

/**
 * Description with */ alert('XSS') /* injection attempt
 */

The */ sequence breaks out of the JSDoc comment, allowing arbitrary JavaScript code execution.

Solution

The fix applies surgical escaping that only targets the dangerous pattern:

*/ sequences are escaped to *\/ (prevents comment breakout)
/* sequences remain unescaped (harmless inside comments)

Safe output after fix:

/**
 * Description with *\/ alert('XSS') /* injection attempt
 */

Technical Details

Core changes: Updated escapeJSDocContent() in src/schema-parser/schema-formatters.ts to only escape */
Template consistency: Modified route-docs.ejs to use consistent escaping approach
Smart detection: formatDescription() detects already-escaped content to prevent double-escaping
Fixed snapshots: Corrected test snapshots to show proper single backslash escaping