Allow uploading of OpenAPI spec for resources#645
Allow uploading of OpenAPI spec for resources#645285729101 wants to merge 1 commit intoMerit-Systems:mainfrom
Conversation
Parse OpenAPI 3.x specs (JSON/YAML) and register endpoints as x402 resources. Includes dry-run preview mode, file upload, and paste support.
|
@285729101 is attempting to deploy a commit to the Merit Systems Team on Vercel. A member of the Team first needs to authorize it. |
![vercel[bot]](https://avatars.githubusercontent.com/in/8329?s=60&v=4){kind=small}
| try { | ||
| const response = await fetch( | ||
| endpoint.url.replace('{', '').replace('}', ''), | ||
| { |
There was a problem hiding this comment.
SSRF vulnerability in register and registerFromOpenAPISpec endpoints allows attackers to make the server fetch arbitrary URLs including localhost, private IPs, and internal services
| try { | ||
| const response = await fetch( | ||
| endpoint.url.replace('{', '').replace('}', ''), | ||
| { |
There was a problem hiding this comment.
URL path parameters are incorrectly stripped instead of being replaced with values, creating invalid endpoints
| } | ||
|
|
||
| // Register each endpoint | ||
| const results = await Promise.allSettled( |
There was a problem hiding this comment.
Potential DoS vulnerability: Promise.allSettled() spawns unlimited concurrent HTTP requests when processing OpenAPI specs with hundreds of endpoints
|
@jasonhedman the spec parser auto-discovers endpoints and generates resource entries with a dry-run preview before committing. Let me know if you want any changes to the import flow. |
1 participant
Adds support for uploading/pasting OpenAPI specs to bulk-register x402 resource endpoints. Resolves #97.
What this does
lib/openapi/parse-spec.ts) that handles both JSON and YAML formats, extracts endpoints with their methods, query params, body schemas, and response schemasregisterFromOpenAPISpectRPC endpoint with dry-run mode so users can preview what will be registered before committingHow it works
The parser handles
$refresolution, server variable substitution, and nested schema extraction. No new dependencies needed - the YAML parser is a lightweight built-in that covers the OpenAPI subset.