[TT-16109] Export GenerateTykServers so it can be used by Dashboard API #7532
probelabs / Visor: security
succeeded
Nov 11, 2025 in 3m 17s
✅ Check Passed (Warnings Found)
security check passed. Found 1 warning, but fail_if condition was not met.
Details
📊 Summary
- Total Issues: 1
- Warning Issues: 1
🐛 Issues by Category
🔐 Security (1)
⚠️ apidef/oas/servers_regeneration.go:285 - User-controllable parts of the URL path (listenPath,versionName) are not sanitized for path traversal elements (..). The use ofpath.CleanonlistenPathinbuildServerURLand direct concatenation ofversionNameinbuildVersionedServerURLcan lead to the generation of misleading URLs in the OpenAPI specification. A user with permissions to define an API could craft these values to make a server URL appear to be on a different path, for examplehttps://api.com/api/../adminwhich resolves tohttps://api.com/admin.
Powered by Visor from Probelabs
💡 TIP: You can chat with Visor using /visor ask <your question>
Annotations
Check warning on line 329 in apidef/oas/servers_regeneration.go
probelabs / Visor: security
security Issue
User-controllable parts of the URL path (`listenPath`, `versionName`) are not sanitized for path traversal elements (`..`). The use of `path.Clean` on `listenPath` in `buildServerURL` and direct concatenation of `versionName` in `buildVersionedServerURL` can lead to the generation of misleading URLs in the OpenAPI specification. A user with permissions to define an API could craft these values to make a server URL appear to be on a different path, for example `https://api.com/api/../admin` which resolves to `https://api.com/admin`.
Raw output
Sanitize user-provided URL path segments to prevent path traversal. Replace `path.Clean` with a function that only normalizes slashes. Before concatenating path segments like `versionName`, ensure they do not contain `..` sequences, for example by checking for and rejecting them, or by removing them. Using `net/url.URL.ResolveReference` is a more robust way to construct URLs.
Loading