Skip to content

fix(ruby): escape interpolation markers in generated string literals#7746

Merged
baywet merged 2 commits into
mainfrom
fix/ruby-description-injection
Jun 2, 2026
Merged

fix(ruby): escape interpolation markers in generated string literals#7746
baywet merged 2 commits into
mainfrom
fix/ruby-description-injection

Conversation

@MIchaelMainer

@MIchaelMainer MIchaelMainer commented Jun 1, 2026

Copy link
Copy Markdown
Member

Prevent Ruby code injection in generated clients by escaping # in schema-derived values emitted into Ruby double-quoted literals.

add a Ruby-specific literal sanitizer for double-quoted output apply it across Ruby writer emission sites (defaults, wire names, discriminator mappings, indexer keys, and query parameter mapping) preserve quoted default-literal behavior while hardening interpolation safety add/adjust Ruby writer regression tests to verify # is escaped in constructor defaults, method parameter defaults, and serializer/deserializer wire names Security impact: blocks runtime interpolation payloads from malicious OpenAPI default and name fields in generated Ruby code.

ref: 31000000601260

@MIchaelMainer
fix(ruby): escape interpolation markers in generated string literals
8c3bf24 
Prevent Ruby code injection in generated clients by escaping # in schema-derived values emitted into Ruby double-quoted literals.

add a Ruby-specific literal sanitizer for double-quoted output
apply it across Ruby writer emission sites (defaults, wire names, discriminator mappings, indexer keys, and query parameter mapping)
preserve quoted default-literal behavior while hardening interpolation safety
add/adjust Ruby writer regression tests to verify # is escaped in constructor defaults, method parameter defaults, and serializer/deserializer wire names
Security impact: blocks runtime interpolation payloads from malicious OpenAPI default and name fields in generated Ruby code.
@MIchaelMainer MIchaelMainer requested a review from a team as a code owner June 1, 2026 23:35
@msgraph-bot msgraph-bot Bot added this to Kiota Jun 1, 2026
@github-code-quality

github-code-quality Bot commented Jun 1, 2026
edited
Loading

Copy link
Copy Markdown

Code Coverage Overview

Languages: C#

C# / code-coverage/dotnet

The overall coverage in the branch is 71%. Coverage data for the branch is not yet available.

Show a code coverage summary of the most covered files.
File 240eabf +/-
/home/runner/wo...guageRefiner.cs 98%
/home/runner/wo...criptRefiner.cs 98%
/home/runner/wo...MethodWriter.cs 97%
/home/runner/wo...MethodWriter.cs 96%
/home/runner/wo...MethodWriter.cs 96%
/home/runner/wo...MethodWriter.cs 95%
/home/runner/wo...rs/GoRefiner.cs 93%
/home/runner/wo...KiotaBuilder.cs 90%
/home/runner/wo...ationService.cs 89%
/home/runner/wo...xGenerator.g.cs 72%

Updated June 02, 2026 11:07 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@baywet

baywet commented Jun 2, 2026

Copy link
Copy Markdown
Member

currently impacted by this microsoft/vs-streamjsonrpc#1447

@baywet baywet enabled auto-merge (squash) June 2, 2026 11:03
@github-project-automation github-project-automation Bot moved this to In Progress 🚧 in Kiota Jun 2, 2026
@baywet baywet merged commit fee1b64 into main Jun 2, 2026
311 checks passed
@baywet baywet deleted the fix/ruby-description-injection branch June 2, 2026 11:29
@github-project-automation github-project-automation Bot moved this from In Progress 🚧 to Done ✔️ in Kiota Jun 2, 2026
@adrian05-ms adrian05-ms mentioned this pull request Jun 2, 2026
Merged
Copilot AI added a commit that referenced this pull request Jun 2, 2026
docs: add 1.32.0 entries for security fixes #7735 and #7746
08d0ea9
adrian05-ms added a commit that referenced this pull request Jun 2, 2026
@adrian05-ms
bump version for release 1.32.0 with dependency and changelog updates (
3639d38 
…#7753)

* - bumps version for release of 1.32.0

* chore: update StreamJsonRpc and remove explicit MessagePack override

* docs: add 1.32.0 entries for security fixes #7735 and #7746

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
@BrewTestBot BrewTestBot mentioned this pull request Jun 2, 2026
Closed
This was referenced Jun 2, 2026
Closed
Closed
Closed
Merged
Closed
Merged
Closed
Open
Merged
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@baywet baywet baywet approved these changes

Assignees

No one assigned

Labels

None yet

Projects

Kiota
Status: Done ✔️

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MIchaelMainer @baywet