Address local HTTP ref review

Author: koxudaxi

docs/cli-reference/general-options.md

@@ -1638,7 +1638,9 @@ Resolve HTTP references from local schema files.
 
 The `--http-local-ref-path` flag maps HTTP(S) `$ref` URLs to files under
 a local schema store instead of fetching them from the network. The host and
-URL path are used as the relative path under the schema store.
+URL path are used as the relative path under the schema store. For example,
+`https://api.example.com/schemas/pet.json` is read from
+`schemas/api.example.com/schemas/pet.json`.
 
 !!! tip "Usage"
 
@@ -1655,19 +1657,7 @@ URL path are used as the relative path under the schema store.
     ```json
     {
       "$schema": "http://json-schema.org/draft-07/schema#",
-      "title": "Pet",
-      "type": "object",
-      "properties": {
-        "id": {
-          "type": "integer"
-        },
-        "name": {
-          "type": "string"
-        },
-        "tag": {
-          "type": "string"
-        }
-      }
+      "$ref": "https://api.example.com/schemas/pet.json"
     }
     ```
 
@@ -1680,13 +1670,17 @@ URL path are used as the relative path under the schema store.
 
     from __future__ import annotations
 
-    from pydantic import BaseModel
+    from pydantic import BaseModel, RootModel
 
 
     class Pet(BaseModel):
         id: int | None = None
         name: str | None = None
         tag: str | None = None
+    
+    
+    class Model(RootModel[Pet]):
+        root: Pet
     ```
 
 ---

docs/cli-reference/model-customization.md

@@ -5272,9 +5272,9 @@ Use default values from schema in generated models.
 The `--use-default` flag allows required fields with default values to be generated
 with their defaults, making them optional to provide when instantiating the model.
 
-    The field type still follows the schema's nullability. For example, a required
-    string field with a default is generated as `str = 'value'`, not
-    `str | None = 'value'`, unless the schema allows null.
+When `--strict-nullable` is enabled, the field type still follows the schema's
+nullability. For example, a required string field with a default is generated
+as `str = 'value'`, not `str | None = 'value'`, unless the schema allows null.
 
 **Related:** [`--strict-nullable`](model-customization.md#strict-nullable)
 

src/datamodel_code_generator/parser/jsonschema.py

@@ -3850,14 +3850,19 @@ def _get_ref_body_from_local_http_path(self, ref: str) -> dict[str, YamlValue]:
             raise Error(msg)
 
         parts = [unquote(part) for part in parsed.path.split("/") if part]
-        if not parsed.netloc or any(part in {".", ".."} for part in parts):
+        if not parsed.netloc or any(part in {".", ".."} or "/" in part or "\\" in part for part in parts):
             msg = f"Unsupported local HTTP $ref URL path: {ref}"
             raise Error(msg)
 
+        base_path = self.http_local_ref_path.resolve()
         relative_path = Path(parsed.netloc, *parts)
-        file_paths = [self.http_local_ref_path / relative_path]
+        file_paths = [(base_path / relative_path).resolve()]
         if not parts or not Path(parts[-1]).suffix:
-            file_paths.append(file_paths[0].with_name(f"{file_paths[0].name}.json"))
+            file_paths.append((base_path / relative_path.with_name(f"{relative_path.name}.json")).resolve())
+
+        if any(not file_path.is_relative_to(base_path) for file_path in file_paths):
+            msg = f"Unsupported local HTTP $ref URL path: {ref}"
+            raise Error(msg)
 
         for file_path in file_paths:
             if file_path.is_file():

tests/data/expected/main_kr/http_local_ref_path/output.py

@@ -0,0 +1,17 @@
+# generated by datamodel-codegen:
+#   filename:  https://api.example.com/schema.json
+#   timestamp: 2019-07-26T00:00:00+00:00
+
+from __future__ import annotations
+
+from pydantic import BaseModel, RootModel
+
+
+class Pet(BaseModel):
+    id: int | None = None
+    name: str | None = None
+    tag: str | None = None
+
+
+class Model(RootModel[Pet]):
+    root: Pet

tests/data/jsonschema/http_local_ref_path_root.json

@@ -0,0 +1,4 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$ref": "https://api.example.com/schemas/pet.json"
+}

tests/main/jsonschema/test_main_jsonschema.py

@@ -510,9 +510,9 @@ def test_main_null_and_array(output_file: Path) -> None:
 The `--use-default` flag allows required fields with default values to be generated
 with their defaults, making them optional to provide when instantiating the model.
 
-    The field type still follows the schema's nullability. For example, a required
-    string field with a default is generated as `str = 'value'`, not
-    `str | None = 'value'`, unless the schema allows null.""",
+When `--strict-nullable` is enabled, the field type still follows the schema's
+nullability. For example, a required string field with a default is generated
+as `str = 'value'`, not `str | None = 'value'`, unless the schema allows null.""",
     input_schema="jsonschema/use_default_with_const.json",
     cli_args=["--output-model-type", "pydantic_v2.BaseModel", "--use-default"],
     golden_output="jsonschema/use_default_with_const.py",
@@ -524,9 +524,9 @@ def test_use_default_pydantic_v2_with_json_schema_const(output_file: Path) -> No
     The `--use-default` flag allows required fields with default values to be generated
     with their defaults, making them optional to provide when instantiating the model.
 
-    The field type still follows the schema's nullability. For example, a required
-    string field with a default is generated as `str = 'value'`, not
-    `str | None = 'value'`, unless the schema allows null.
+    When `--strict-nullable` is enabled, the field type still follows the schema's
+    nullability. For example, a required string field with a default is generated
+    as `str = 'value'`, not `str | None = 'value'`, unless the schema allows null.
     """
     run_main_and_assert(
         input_path=JSON_SCHEMA_DATA_PATH / "use_default_with_const.json",

tests/parser/test_jsonschema.py

@@ -289,6 +289,8 @@ def test_json_schema_ref_url_from_local_http_path_with_extension(tmp_path: Path,
     [
         "http:///application/package/element/sub-element",
         "http://example.com/application/package/../sub-element",
+        "http://example.com/..%5C..%5CWindows%5Cwin.ini",
+        "http://example.com/path%2Fwith-slash",
     ],
 )
 def test_json_schema_ref_url_from_local_http_path_invalid_path(tmp_path: Path, ref: str) -> None:
@@ -307,6 +309,24 @@ def test_json_schema_ref_url_from_local_http_path_missing_file(tmp_path: Path) -
         parser._get_ref_body_from_url("http://example.com/schema")
 
 
+def test_json_schema_ref_url_from_local_http_path_symlink_escape(tmp_path: Path) -> None:
+    """Test local HTTP JSON schema references cannot escape the schema store through symlinks."""
+    schema_store = tmp_path / "schemas"
+    local_schema = schema_store / "example.com" / "schema.json"
+    local_schema.parent.mkdir(parents=True)
+    outside_schema = tmp_path / "outside.json"
+    outside_schema.write_text('{"type": "object"}', encoding="utf-8")
+    try:
+        local_schema.symlink_to(outside_schema)
+    except OSError as exc:
+        pytest.skip(f"symlink creation is not supported: {exc}")
+
+    parser = JsonSchemaParser("", allow_remote_refs=False, http_local_ref_path=schema_store)
+
+    with pytest.raises(Error, match="Unsupported local HTTP \\$ref URL path"):
+        parser._get_ref_body_from_url("http://example.com/schema.json")
+
+
 @pytest.mark.parametrize(
     ("source_obj", "generated_classes"),
     [

tests/test_main_kr.py

@@ -1543,15 +1543,17 @@ def test_url_with_http_headers(mock_httpx_get: HttpxGetMockFactory, output_file:
 
 The `--http-local-ref-path` flag maps HTTP(S) `$ref` URLs to files under
 a local schema store instead of fetching them from the network. The host and
-URL path are used as the relative path under the schema store.""",
-    input_schema="jsonschema/pet_simple.json",
+URL path are used as the relative path under the schema store. For example,
+`https://api.example.com/schemas/pet.json` is read from
+`schemas/api.example.com/schemas/pet.json`.""",
+    input_schema="jsonschema/http_local_ref_path_root.json",
     cli_args=[
         "--url",
         "https://api.example.com/schema.json",
         "--http-local-ref-path",
         "schemas",
     ],
-    golden_output="main_kr/url_with_headers/output.py",
+    golden_output="main_kr/http_local_ref_path/output.py",
 )
 @freeze_time("2019-07-26")
 def test_http_local_ref_path_cli_doc(mock_httpx_get: HttpxGetMockFactory, output_file: Path, tmp_path: Path) -> None:
@@ -1562,17 +1564,22 @@ def test_http_local_ref_path_cli_doc(mock_httpx_get: HttpxGetMockFactory, output
     URL path are used as the relative path under the schema store.
     """
     schema_store = tmp_path / "schemas"
-    schema_store.mkdir()
+    local_schema = schema_store / "api.example.com" / "schemas" / "pet.json"
+    local_schema.parent.mkdir(parents=True)
+    local_schema.write_text((JSON_SCHEMA_DATA_PATH / "pet_simple.json").read_text(), encoding="utf-8")
     mock_get = mock_httpx_get(
-        MockHttpxResponse("https://api.example.com/schema.json", JSON_SCHEMA_DATA_PATH / "pet_simple.json")
+        MockHttpxResponse(
+            "https://api.example.com/schema.json",
+            JSON_SCHEMA_DATA_PATH / "http_local_ref_path_root.json",
+        )
     )
 
     run_main_url_and_assert(
         url="https://api.example.com/schema.json",
         output_path=output_file,
         input_file_type="jsonschema",
         assert_func=assert_file_content,
-        expected_file=EXPECTED_MAIN_KR_PATH / "url_with_headers" / "output.py",
+        expected_file=EXPECTED_MAIN_KR_PATH / "http_local_ref_path" / "output.py",
         extra_args=["--http-local-ref-path", str(schema_store)],
     )
     assert_httpx_get_kwargs(mock_get)