Skip to content

fix(ruby): escape interpolation markers in generated string literals#7746

Merged
baywet merged 2 commits into
mainfrom
fix/ruby-description-injection
Jun 2, 2026
Merged

fix(ruby): escape interpolation markers in generated string literals#7746
baywet merged 2 commits into
mainfrom
fix/ruby-description-injection

Conversation

@MIchaelMainer

Copy link
Copy Markdown
Contributor

Prevent Ruby code injection in generated clients by escaping # in schema-derived values emitted into Ruby double-quoted literals.

add a Ruby-specific literal sanitizer for double-quoted output apply it across Ruby writer emission sites (defaults, wire names, discriminator mappings, indexer keys, and query parameter mapping) preserve quoted default-literal behavior while hardening interpolation safety add/adjust Ruby writer regression tests to verify # is escaped in constructor defaults, method parameter defaults, and serializer/deserializer wire names Security impact: blocks runtime interpolation payloads from malicious OpenAPI default and name fields in generated Ruby code.

ref: 31000000601260

Prevent Ruby code injection in generated clients by escaping # in schema-derived values emitted into Ruby double-quoted literals.

add a Ruby-specific literal sanitizer for double-quoted output
apply it across Ruby writer emission sites (defaults, wire names, discriminator mappings, indexer keys, and query parameter mapping)
preserve quoted default-literal behavior while hardening interpolation safety
add/adjust Ruby writer regression tests to verify # is escaped in constructor defaults, method parameter defaults, and serializer/deserializer wire names
Security impact: blocks runtime interpolation payloads from malicious OpenAPI default and name fields in generated Ruby code.
@MIchaelMainer
MIchaelMainer requested a review from a team as a code owner June 1, 2026 23:35
@msgraph-bot msgraph-bot Bot added this to Kiota Jun 1, 2026
@github-code-quality

github-code-quality Bot commented Jun 1, 2026

Copy link
Copy Markdown

Code Coverage Overview

Languages: C#

C# / code-coverage/dotnet

The overall coverage in the branch is 71%. Coverage data for the branch is not yet available.

Show a code coverage summary of the most covered files.
File 240eabf +/-
/home/runner/wo...guageRefiner.cs 98%
/home/runner/wo...criptRefiner.cs 98%
/home/runner/wo...MethodWriter.cs 97%
/home/runner/wo...MethodWriter.cs 96%
/home/runner/wo...MethodWriter.cs 96%
/home/runner/wo...MethodWriter.cs 95%
/home/runner/wo...rs/GoRefiner.cs 93%
/home/runner/wo...KiotaBuilder.cs 90%
/home/runner/wo...ationService.cs 89%
/home/runner/wo...xGenerator.g.cs 72%

Updated June 02, 2026 11:07 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@baywet

baywet commented Jun 2, 2026

Copy link
Copy Markdown
Member

currently impacted by this microsoft/vs-streamjsonrpc#1447

@baywet
baywet enabled auto-merge (squash) June 2, 2026 11:03
@github-project-automation github-project-automation Bot moved this to In Progress 🚧 in Kiota Jun 2, 2026
@baywet
baywet merged commit fee1b64 into main Jun 2, 2026
311 checks passed
@baywet
baywet deleted the fix/ruby-description-injection branch June 2, 2026 11:29
@github-project-automation github-project-automation Bot moved this from In Progress 🚧 to Done ✔️ in Kiota Jun 2, 2026
Copilot AI added a commit that referenced this pull request Jun 2, 2026
adrian05-ms added a commit that referenced this pull request Jun 2, 2026
…#7753)

* - bumps version for release of 1.32.0

* chore: update StreamJsonRpc and remove explicit MessagePack override

* docs: add 1.32.0 entries for security fixes #7735 and #7746

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Archived in project

Development

Successfully merging this pull request may close these issues.

2 participants