Orval Type-Safe JS Client Mock Generation Code Injection Vulnerability

A code injection vulnerability has been identified in Orval's mock generation process, specifically in the @orval/mock package versions 7.19.0 and below, as well as 8.0.0-rc.0 through 8.0.2. This vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript or JavaScript into generated mock files. The issue arises from the const keyword on schema properties, which is improperly handled and can lead to the execution of malicious code. The injected code is executed in the context of the generated TypeScript, potentially leading to severe consequences.

Impact

Exploitation of this vulnerability allows for arbitrary code injection into TypeScript files generated by Orval, with the injected code executed in a Node.js environment. This could lead to execution of malicious payloads, such as commands being run in the system shell.

Reproduction

To reproduce this vulnerability, create an OpenAPI specification that includes schema properties with const values designed to inject JavaScript code. When this specification is processed by Orval's mock generator, the const values will be executed as code in the generated mock files. This can be verified by including payloads that, when executed, demonstrate the injection, such as commands that return system information.

Remediation

Users can upgrade to Orval versions 7.20.0 or 8.0.3, both of which include the necessary fix. After updating, the mock generation process will properly escape const values, preventing code injection.