fix(parser-v3): preserve $dynamicRef/$dynamicAnchor and fix $id scope leak in OAS 3.1 dereferencer#2332
Open
aqeelat wants to merge 1 commit into
Open
Conversation
… leak in OAS 3.1 dereferencer Four changes to the OAS 3.1 dereferencer to handle specs using $dynamicRef, $dynamicAnchor, $defs, and $id without crashing or losing data: 1. resolveSchemaRef(): bypass inheritedIds for #/components/ and #/definitions/ refs so a schema's $id cannot hijack document-level resolution. Also clear inheritedIds during traversal of resolved components to prevent $id scope from leaking into nested refs. 2. findAnchor(): match $dynamicAnchor in addition to $anchor so anchor-style fragments resolve correctly. 3. traverseSchema(): traverse $defs sub-schemas from extensions so nested refs and anchors inside $defs are available to consumers. 4. mergeSchemas(): copy $dynamicRef and $dynamicAnchor from source to target so these fields survive the merge cycle. Closes swagger-api#2331
This was referenced May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the OAS 3.1 dereferencer to handle specs using
$dynamicRef,$dynamicAnchor,$defs, and$idwithout crashing or losing data. Closes #2331.Four changes, all in
modules/swagger-parser-v3/:ReferenceVisitor.resolveSchemaRef()— BypassinheritedIds(the$idchain) for#/components/and#/definitions/refs so a schema's$idcannot hijack document-level resolution. Also clearinheritedIdsduring traversal of resolved components to prevent$idscope from leaking into nested refs.ReferenceVisitor.findAnchor()— Match$dynamicAnchorin addition to$anchorso anchor-style fragments resolve correctly.OpenAPI31Traverser.traverseSchema()— Traverse$defssub-schemas from extensions so nested refs and anchors inside$defsare available to consumers.OpenAPI31Traverser.mergeSchemas()— Copy$dynamicRefand$dynamicAnchorfrom source to target so these fields survive the merge cycle.Test plan
OpenAPIV3ParserDynamicRefTestcovering:$id+$refto#/components/(no crash)$idscope leak into nested document-level refs$idscope leak into nested file refs$dynamicRef/$dynamicAnchorpreservation after resolution$defstraversal and preservation$dynamicRefoverride patternmergeSchemasfield preservationFull module suite passes (588 tests, 0 failures):