fix(security): escape regular expression

glowcloud · glowcloud · commit e9301f2809f1 · 2024-05-08T15:40:04.000+02:00
Refs #3505
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -124,6 +124,7 @@
     "node-fetch-commonjs": "^3.3.2",
     "openapi-path-templating": "^1.5.1",
     "qs": "^6.10.2",
+    "ramda-adjunct": "^5.0.0",
     "traverse": "=0.6.8"
   },
   "overrides": {
diff --git a/src/execute/index.js b/src/execute/index.js
@@ -2,6 +2,7 @@ import cookie from 'cookie';
 import { isPlainObject } from 'is-plain-object';
 import { ApiDOMStructuredError } from '@swagger-api/apidom-error';
 import { url } from '@swagger-api/apidom-reference/configuration/empty';
+import { escapeRegExp } from 'ramda-adjunct';
 
 import { DEFAULT_BASE_URL, DEFAULT_OPENAPI_3_SERVER } from '../constants.js';
 import stockHttp from '../http/index.js';
@@ -353,7 +354,7 @@ function oas3BaseUrl({ spec, pathName, method, server, contextUrl, serverVariabl
         const variableDefinition = selectedServerObj.variables[variable];
         const variableValue = serverVariables[variable] || variableDefinition.default;
 
-        const re = new RegExp(`{${variable}}`, 'g');
+        const re = new RegExp(`{${escapeRegExp(variable)}}`, 'g');
         selectedServerUrl = selectedServerUrl.replace(re, variableValue);
       }
     });
