support to load swaggers from an extension (#639)

* feat: support to download differnt kinds of ext

* support to load swaggers from an extension

* docs(extension): add swagger data extension and update documentation

- Add swagger data extension to the extensions list
- Update documentation to include new extension usage

* Potential fix for code scanning alert no. 69: Arbitrary file access during archive extraction ("Zip Slip")

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Rick <[email protected]>

---------

Signed-off-by: Rick <[email protected]>
Co-authored-by: rick <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: LinuxSuRen

cmd/extension.go

@@ -31,6 +31,7 @@ type extensionOption struct {
 	ociDownloader downloader.PlatformAwareOCIDownloader
 	output        string
 	registry      string
+	kind          string
 	tag           string
 	os            string
 	arch          string
@@ -53,6 +54,7 @@ func createExtensionCommand(ociDownloader downloader.PlatformAwareOCIDownloader)
 	flags.StringVarP(&opt.output, "output", "", ".", "The target directory")
 	flags.StringVarP(&opt.tag, "tag", "", "", "The extension image tag, try to find the latest one if this is empty")
 	flags.StringVarP(&opt.registry, "registry", "", "", "The target extension image registry, supported: docker.io, ghcr.io")
+	flags.StringVarP(&opt.kind, "kind", "", "store", "The extension kind")
 	flags.StringVarP(&opt.os, "os", "", runtime.GOOS, "The OS")
 	flags.StringVarP(&opt.arch, "arch", "", runtime.GOARCH, "The architecture")
 	flags.DurationVarP(&opt.timeout, "timeout", "", time.Minute, "The timeout of downloading")
@@ -66,6 +68,7 @@ func (o *extensionOption) runE(cmd *cobra.Command, args []string) (err error) {
 	o.ociDownloader.WithRegistry(o.registry)
 	o.ociDownloader.WithImagePrefix(o.imagePrefix)
 	o.ociDownloader.WithTimeout(o.timeout)
+	o.ociDownloader.WithKind(o.kind)
 	o.ociDownloader.WithContext(cmd.Context())
 
 	for _, arg := range args {

cmd/server.go

@@ -22,6 +22,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"github.com/linuxsuren/api-testing/pkg/apispec"
 	"net"
 	"net/http"
 	"os"
@@ -302,6 +303,15 @@ func (o *serverOption) runE(cmd *cobra.Command, args []string) (err error) {
 		_ = o.httpServer.Shutdown(ctx)
 	}()
 
+	go func() {
+		err := apispec.DownloadSwaggerData("", extDownloader)
+		if err != nil {
+			fmt.Println("failed to download swagger data", err)
+		} else {
+			fmt.Println("success to download swagger data")
+		}
+	}()
+
 	mux := runtime.NewServeMux(runtime.WithMetadata(server.MetadataStoreFunc),
 		runtime.WithMarshalerOption("application/json+pretty", &runtime.JSONPb{
 			MarshalOptions: protojson.MarshalOptions{
@@ -342,6 +352,7 @@ func (o *serverOption) runE(cmd *cobra.Command, args []string) (err error) {
 		mux.HandlePath(http.MethodGet, "/get", o.getAtestBinary)
 		mux.HandlePath(http.MethodPost, "/runner/{suite}/{case}", service.WebRunnerHandler)
 		mux.HandlePath(http.MethodGet, "/api/v1/sbom", service.SBomHandler)
+		mux.HandlePath(http.MethodGet, "/api/v1/swaggers", apispec.SwaggersHandler)
 
 		postRequestProxyFunc := postRequestProxy(o.skyWalking)
 		mux.HandlePath(http.MethodPost, "/browser/{app}", postRequestProxyFunc)

console/atest-ui/src/views/TestSuite.vue

@@ -4,7 +4,7 @@ import { reactive, ref, watch } from 'vue'
 import { Edit, CopyDocument, Delete } from '@element-plus/icons-vue'
 import type { FormInstance, FormRules } from 'element-plus'
 import type { Suite, TestCase, Pair } from './types'
-import { NewSuggestedAPIsQuery, GetHTTPMethods } from './types'
+import { NewSuggestedAPIsQuery, GetHTTPMethods, SwaggerSuggestion } from './types'
 import EditButton from '../components/EditButton.vue'
 import { Cache } from './cache'
 import { useI18n } from 'vue-i18n'
@@ -20,6 +20,7 @@ const props = defineProps({
 })
 const emit = defineEmits(['updated'])
 let querySuggestedAPIs = NewSuggestedAPIsQuery(Cache.GetCurrentStore().name, props.name!)
+const querySwaggers = SwaggerSuggestion()
 
 const suite = ref({
   name: '',
@@ -325,7 +326,10 @@ const renameTestSuite = (name: string) => {
             </el-select>
           </td>
           <td>
-            <el-input class="mx-1" v-model="suite.spec.url" placeholder="API Spec URL"></el-input>
+              <el-autocomplete
+                  v-model="suite.spec.url"
+                  :fetch-suggestions="querySwaggers"
+              />
           </td>
         </tr>
       </table>

console/atest-ui/src/views/net.ts

@@ -620,6 +620,12 @@ function GetSuggestedAPIs(name: string,
     .then(callback)
 }
 
+function GetSwaggers(callback: (d: any) => void) {
+    fetch(`/api/v1/swaggers`, {})
+        .then(DefaultResponseProcess)
+        .then(callback)
+}
+
 function ReloadMockServer(config: any) {
   const requestOptions = {
     method: 'POST',
@@ -812,7 +818,7 @@ export const API = {
   CreateOrUpdateStore, GetStores, DeleteStore, VerifyStore,
   FunctionsQuery,
   GetSecrets, DeleteSecret, CreateOrUpdateSecret,
-  GetSuggestedAPIs,
+  GetSuggestedAPIs, GetSwaggers,
   ReloadMockServer, GetMockConfig, SBOM, DataQuery,
   getToken
 }

console/atest-ui/src/views/types.ts

@@ -102,6 +102,28 @@ export function NewSuggestedAPIsQuery(store: string, suite: string) {
     })
   }
 }
+
+interface SwaggerItem {
+    value: string
+}
+
+export function SwaggerSuggestion() {
+    return function (queryString: string, cb: (arg: any) => void) {
+        API.GetSwaggers((e) => {
+            var swaggers = [] as SwaggerItem[]
+            e.forEach((item: string) => {
+                swaggers.push({
+                    "value": `atest://${item}`
+                })
+            })
+
+            const results = queryString ? swaggers.filter((item: SwaggerItem) => {
+                return item.value.toLowerCase().indexOf(queryString.toLowerCase()) != -1
+            }) : swaggers
+            cb(results.slice(0, 10))
+        })
+    }
+}
 export function CreateFilter(queryString: string) {
   return (v: Pair) => {
     return v.value.toLowerCase().indexOf(queryString.toLowerCase()) !== -1

docs/site/content/zh/latest/tasks/extension.md

@@ -31,3 +31,9 @@ atest extension orm
 ```shell
 atest extension orm --registry ghcr.io --timeout 2ms
 ```
+
+想要下载其他类型的插件的话，可以使用下面的命令：
+
+```shell
+atest extension --kind data swagger
+```

extensions/README.md

@@ -11,6 +11,7 @@ Ports in extensions:
 | Monitor | [docker-monitor](https://github.com/LinuxSuRen/atest-ext-monitor-docker) |  |
 | Agent | [collector](https://github.com/LinuxSuRen/atest-ext-collector)           |  |
 | Secret | [Vault](https://github.com/LinuxSuRen/api-testing-vault-extension)       | |
+| Data | [Swagger](https://github.com/LinuxSuRen/atest-ext-data-swagger) | |
 
 ## Contribute a new extension
 

pkg/apispec/remote_swagger.go

@@ -0,0 +1,134 @@
+/*
+Copyright 2025 API Testing Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apispec
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"encoding/json"
+	"fmt"
+	"github.com/linuxsuren/api-testing/pkg/downloader"
+	"github.com/linuxsuren/api-testing/pkg/util/home"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+func DownloadSwaggerData(output string, dw downloader.PlatformAwareOCIDownloader) (err error) {
+	dw.WithKind("data")
+	dw.WithOS("")
+
+	var reader io.Reader
+	if reader, err = dw.Download("swagger", "", ""); err != nil {
+		return
+	}
+
+	extFile := dw.GetTargetFile()
+
+	if output == "" {
+		output = home.GetUserDataDir()
+	}
+	if err = os.MkdirAll(filepath.Dir(output), 0755); err != nil {
+		return
+	}
+
+	targetFile := filepath.Base(extFile)
+	fmt.Println("start to save", filepath.Join(output, targetFile))
+	if err = downloader.WriteTo(reader, output, targetFile); err == nil {
+		err = decompressData(filepath.Join(output, targetFile))
+	}
+	return
+}
+
+func SwaggersHandler(w http.ResponseWriter, _ *http.Request,
+	_ map[string]string) {
+	swaggers := GetSwaggerList()
+	if data, err := json.Marshal(swaggers); err == nil {
+		_, _ = w.Write(data)
+	} else {
+		w.WriteHeader(http.StatusInternalServerError)
+	}
+}
+
+func GetSwaggerList() (swaggers []string) {
+	dataDir := home.GetUserDataDir()
+	_ = filepath.WalkDir(dataDir, func(path string, d os.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+
+		if !d.IsDir() && filepath.Ext(path) == ".json" {
+			swaggers = append(swaggers, filepath.Base(path))
+		}
+		return nil
+	})
+	return
+}
+
+func decompressData(dataFile string) (err error) {
+	var file *os.File
+	file, err = os.Open(dataFile)
+	if err != nil {
+		return
+	}
+	defer file.Close()
+
+	var gzipReader *gzip.Reader
+	gzipReader, err = gzip.NewReader(file)
+	if err != nil {
+		return
+	}
+	defer gzipReader.Close()
+
+	tarReader := tar.NewReader(gzipReader)
+
+	for {
+		header, err := tarReader.Next()
+		if err == io.EOF {
+			break // 退出循环
+		}
+		if err != nil {
+			panic(err)
+		}
+
+		// Ensure the file path does not contain directory traversal sequences
+		if strings.Contains(header.Name, "..") {
+			fmt.Printf("Skipping entry with unsafe path: %s\n", header.Name)
+			continue
+		}
+
+		destPath := filepath.Join(filepath.Dir(dataFile), filepath.Base(header.Name))
+
+		switch header.Typeflag {
+		case tar.TypeReg:
+			destFile, err := os.OpenFile(destPath, os.O_CREATE|os.O_WRONLY, os.FileMode(header.Mode))
+			if err != nil {
+				panic(err)
+			}
+			defer destFile.Close()
+
+			if _, err := io.Copy(destFile, tarReader); err != nil {
+				panic(err)
+			}
+		default:
+			fmt.Printf("Skipping entry type %c: %s\n", header.Typeflag, header.Name)
+		}
+	}
+	return
+}

pkg/apispec/swagger.go

@@ -18,8 +18,11 @@ package apispec
 
 import (
 	"github.com/go-openapi/spec"
+	"github.com/linuxsuren/api-testing/pkg/util/home"
 	"io"
 	"net/http"
+	"os"
+	"path/filepath"
 	"regexp"
 	"strings"
 )
@@ -123,13 +126,27 @@ func ParseToSwagger(data []byte) (swagger *spec.Swagger, err error) {
 }
 
 func ParseURLToSwagger(swaggerURL string) (swagger *spec.Swagger, err error) {
+	if strings.HasPrefix(swaggerURL, "atest://") {
+		swaggerURL = strings.ReplaceAll(swaggerURL, "atest://", "")
+		swagger, err = ParseFileToSwagger(filepath.Join(home.GetUserDataDir(), swaggerURL))
+		return
+	}
+
 	var resp *http.Response
 	if resp, err = http.Get(swaggerURL); err == nil && resp != nil && resp.StatusCode == http.StatusOK {
 		swagger, err = ParseStreamToSwagger(resp.Body)
 	}
 	return
 }
 
+func ParseFileToSwagger(dataFile string) (swagger *spec.Swagger, err error) {
+	var data []byte
+	if data, err = os.ReadFile(dataFile); err == nil {
+		swagger, err = ParseToSwagger(data)
+	}
+	return
+}
+
 func ParseStreamToSwagger(stream io.Reader) (swagger *spec.Swagger, err error) {
 	var data []byte
 	if data, err = io.ReadAll(stream); err == nil {