flutter/apidash
1
0
Fork 0
mirror of https://github.com/foss42/apidash.git synced 2025-12-05 12:34:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into copilot/find-security-vulnerabilities

Browse Source
This commit is contained in:
Ankit Mahato
2025-12-04 19:30:15 +00:00
committed by GitHub
parent 8821e165ff 7c7b66a83a
commit 8f5c387018
15 changed files with 320 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
README.md
View File

@@ -1,9 +1,7 @@
# API Dash ⚡️
[![Discord Server Invite](https://img.shields.io/badge/DISCORD-JOIN%20SERVER-5663F7?style=for-the-badge&logo=discord&logoColor=white)](https://discord.com/invite/bBeSdtJ6Ue)
<a href="https://summerofcode.withgoogle.com/programs/2025/organizations/api-dash" target="_blank"><img src="https://github.com/foss42/apidash/assets/615622/493ce57f-06c3-4789-b7ae-9fa63bca8183" alt="GSoC" width="400"></a>
<a href="https://discord.com/invite/bBeSdtJ6Ue" target="_blank"><img src="https://img.shields.io/badge/DISCORD-JOIN%20SERVER-5663F7?style=for-the-badge&logo=discord&logoColor=white" alt="Discord Server Invite"></a><br>
<img src="https://trendshift.io/api/badge/repositories/9734" alt="foss42%2Fapidash | Trendshift" style="width: 250px; height: 55px;" width="250" height="55"/> &nbsp;&nbsp;&nbsp; <a href="https://summerofcode.withgoogle.com/programs/2025/organizations/api-dash" target="_blank"><img src="https://github.com/foss42/apidash/assets/615622/493ce57f-06c3-4789-b7ae-9fa63bca8183" alt="GSoC" width="400"></a>
### Please support this initiative by giving this project a Star ⭐️
@@ -138,6 +136,13 @@ API Dash can be downloaded from the links below:
- Customize various options using a dedicated Settings screen.
- Window Configuration (Size & Position) is persisted and restored on app start. (Only macOS & Windows)
## Supported by ❤️
<a href="https://www.lambdatest.com/?utm_source=apidash&utm_medium=sponsor" target="_blank">
<img width="250" height="48" alt="lambdatest-logo" src="https://github.com/user-attachments/assets/c1d9263a-e60e-4161-8d65-fc5ff82fe9f7" />
</a>
## Code Generators
API Dash currently supports API integration code generation for the following languages/libraries.

111
doc/dev_guide/openapi.md Normal file
View File

@@ -0,0 +1,111 @@
# OpenAPI
The OpenAPI import feature was failing when trying to import specifications from URLs like https://catfact.ninja/docs?api-docs.json. The error "The fetched content does not look like a valid OpenAPI spec (JSON or YAML)" was shown even though the content was a valid OpenAPI 3.0 specification. This was caused by a bug in the openapi_spec package (v0.15.0) that cannot parse OpenAPI specs containing "security": [[]] (empty security arrays), which is valid according to the OpenAPI 3.0 specification.
> Fix
Added a workaround in OpenApiImportService.tryParseSpec() that detects parsing failures and automatically removes problematic security fields containing empty arrays before retrying the parse operation. This is a temporary workaround until the upstream package is fixed.
- [APIDash](https://drive.google.com/file/d/1CWocxCVW99-bEWkZlwInGq0JykHalv9a/view?usp=sharing) - Works without any fix
- [Cat Fact API](https://drive.google.com/file/d/1ox71b3tT4Lv-9jw7zV1ronWQR_uW3K25/view?usp=drive_link) - Works with this fix
- [DigitalOcean Droplet Metadata API](https://drive.google.com/file/d/1XKZXJvrwvAVm3OVBEZFhScOuCMjPJBZh/view?usp=drive_link) - Works without any fix
- [GitHub v3 REST API](https://drive.google.com/file/d/1WcJXSosHPD0uiybJrqpJSknM5FA0De02/view?usp=drive_link) - Doesn't Work
- [Swagger Petstore](https://drive.google.com/file/d/1LBqBrlcsXo7Clr7VKn7CYe75c_H4U8zQ/view?usp=drive_link) - Doesn't Work
- [RailwayStations REST API](https://drive.google.com/file/d/1jVFk-hNf_gb_VeBuAomOgh6tWByU9Fyi/view?usp=drive_link) - Doesn't Work
- [UniProt REST API Server](https://drive.google.com/file/d/1KTIqKC7SludxsyCYN6kXWQySve4GpbhD/view?usp=drive_link) - Doesn't Work
- [VIT-AP VTOP API](https://drive.google.com/file/d/1B5Mh3IK2uUBoRSocEKQd2Dvf7SZWm03M/view?usp=drive_link) - Works without any fix
Its not our parser that causes the issue. The failures come from the documents themselves and how the openapi_spec package (correctly) enforces OpenAPI shapes. Valid security fields work fine as per the package docs; the broken cases are due to invalid spec content.
### Findings per document
- cat_facts.json (also the Cat Facts URL)
- Problem: Top-level security is malformed: security: [[]]
- Why it fails: In OpenAPI 3.0, top-level security must be an array of SecurityRequirement objects (maps). Examples:
- Valid: security: [] (no requirements) or security: [ { api_key: [] } ]
- Invalid: security: [[]] (array of arrays)
- openapi_spec error: type 'List<dynamic>' is not a subtype of type 'Map<String, dynamic>'
- Conclusion: The document is invalid. This is not a general “security field” issue, just this malformed shape.
- railway-stations.yaml
- Problem: Component parameter reference points to a Parameter missing required fields (e.g., 'in').
- Error: CheckedFromJsonException: Could not create Parameter. There is a problem with "in". Invalid union type "null"!
- The stack/message points at $ref: #/components/parameters/Authorization.
- Conclusion: Not related to security. The referenced Parameter definition is incomplete (missing in: header|query|path|cookie) or otherwise invalid.
- travel.yaml
- Problem: Same class of failure as railway-stations.yaml, with a parameter ref like $ref: #/components/parameters/page.
- Error: CheckedFromJsonException... problem with "in" (Invalid union type "null").
- Note: components.securitySchemes is present here and is not the cause.
- Conclusion: Also a spec issue with parameter component definitions/references.
- digitalocean.yaml
- Result: Parses successfully with openapi_spec.
- Note: No top-level security; nothing problematic here.
- Conclusion: Confirms the parser handles valid documents correctly.
Steps to reproduce failures from local files,
```
import 'dart:io';
import 'package:openapi_spec/openapi_spec.dart';
void main(List<String> args) async {
// Pass file paths as args below.
final paths = args.isNotEmpty
? args
: <String>[
'./cat_facts.json',
'./railway-stations.yaml',
];
for (final p in paths) {
stdout.writeln('\n=== Parsing: $p ===');
final f = File(p);
if (!await f.exists()) {
stdout.writeln('Skip: file not found');
continue;
}
final content = await f.readAsString();
try {
final spec = OpenApi.fromString(source: content, format: null);
stdout.writeln('SUCCESS: title="${spec.info.title}", version="${spec.info.version}"');
stdout.writeln('Paths: ${spec.paths?.length ?? 0}');
} catch (e, st) {
final err = e.toString();
stdout.writeln('FAIL: ${err.substring(0, err.length.clamp(0, 400))}...');
// Stack Trace
final stStr = st.toString();
if (stStr.isNotEmpty) {
stdout.writeln('Stack:\n$stStr');
}
}
}
}
```
### How to run
- Create a new dart project, put the openapi spec file and this script there.
- Add the depndency, `dart pub add openapi_spec: ^0.15.0`
- Run:
- `dart run path/to/this/file`
### Expected outcomes
- `cat_facts.json`
- FAIL with an error like:
- type 'List<dynamic>' is not a subtype of type 'Map<String, dynamic>'
- This is triggered by the invalid top-level security shape: security: [[]]
- `railway-stations.yaml`
- FAIL with an error like:
- CheckedFromJsonException: Could not create `Parameter`. There is a problem with "in". Invalid union type "null"!
- This points to a components/parameters reference missing required “in”.

42
lib/dashbot/services/openapi_import_service.dart
View File

@@ -132,15 +132,53 @@ class OpenApiImportService {
/// Try to parse a JSON or YAML OpenAPI spec string.
/// Returns null if parsing fails.
///
/// NOTE: There's a known issue with the openapi_spec package where
/// security fields containing empty arrays (e.g., "security": [[]])
/// cause parsing failures. This method includes a workaround.
static OpenApi? tryParseSpec(String source) {
try {
// Let the library infer JSON/YAML
return OpenApi.fromString(source: source, format: null);
} catch (_) {
} catch (e) {
// Try workaround for security field parsing issues
try {
final processedSource = _removeProblematicSecurityField(source);
if (processedSource != source) {
return OpenApi.fromString(source: processedSource, format: null);
}
} catch (_) {
// Workaround failed, fall through to return null
}
return null;
}
}
/// Removes problematic security fields that cause parsing issues.
/// TODO: Remove this workaround once openapi_spec package fixes
/// the issue with security fields containing empty arrays.
static String _removeProblematicSecurityField(String source) {
try {
final spec = jsonDecode(source) as Map<String, dynamic>;
if (spec.containsKey('security')) {
final security = spec['security'];
if (security is List && _hasEmptySecurityArrays(security)) {
spec.remove('security');
return jsonEncode(spec);
}
}
return source;
} catch (e) {
throw FormatException('Failed to preprocess OpenAPI spec: $e');
}
}
/// Checks if security list contains empty arrays that cause parsing issues.
static bool _hasEmptySecurityArrays(List<dynamic> security) {
return security.any((item) => item is List && item.isEmpty);
}
/// Build a single request payload from a path + method operation.
/// The payload mirrors CurlImportService payload shape for reuse.
static Map<String, dynamic> _payloadForOperation({

4
lib/main.dart
View File

@@ -14,7 +14,6 @@ void main() async {
await Stac.initialize();
//Load all LLMs
// await LLMManager.fetchAvailableLLMs();
await ModelManager.fetchAvailableModels();
var settingsModel = await getSettingsFromSharedPrefs();
@@ -30,9 +29,6 @@ void main() async {
settingsModel = settingsModel?.copyWithPath(workspaceFolderPath: null);
}
// TODO: Load all models at init
// await ModelManager.loadAvailableLLMs();
runApp(
ProviderScope(
overrides: [

19
lib/providers/collection_providers.dart
View File

@@ -250,12 +250,15 @@ class CollectionStateNotifier
newModel = switch (apiType) {
APIType.rest || APIType.graphql => currentModel.copyWith(
apiType: apiType,
requestTabIndex: 0,
name: name ?? currentModel.name,
description: description ?? currentModel.description,
httpRequestModel: const HttpRequestModel(),
aiRequestModel: null),
aiRequestModel: null,
),
APIType.ai => currentModel.copyWith(
apiType: apiType,
requestTabIndex: 0,
name: name ?? currentModel.name,
description: description ?? currentModel.description,
httpRequestModel: null,
@@ -350,8 +353,20 @@ class CollectionStateNotifier
executionRequestModel.httpRequestModel!);
}
// Terminal: start network log
// Terminal
final terminal = ref.read(terminalStateProvider.notifier);
var valRes = getValidationResult(substitutedHttpRequestModel);
if (valRes != null) {
terminal.logSystem(
category: 'validation',
message: valRes,
level: TerminalLevel.error,
);
ref.read(showTerminalBadgeProvider.notifier).state = true;
}
// Terminal: start network log
final logId = terminal.startNetwork(
apiType: executionRequestModel.apiType,
method: substitutedHttpRequestModel.method,

1
lib/providers/ui_providers.dart
View File

@@ -13,6 +13,7 @@ final historyCodePaneVisibleStateProvider = StateProvider<bool>((ref) => false);
final saveDataStateProvider = StateProvider<bool>((ref) => false);
final clearDataStateProvider = StateProvider<bool>((ref) => false);
final hasUnsavedChangesProvider = StateProvider<bool>((ref) => false);
final showTerminalBadgeProvider = StateProvider<bool>((ref) => false);
// final nameTextFieldControllerProvider =
// StateProvider.autoDispose<TextEditingController>((ref) {

22
lib/screens/dashboard.dart
View File

@@ -76,13 +76,21 @@ class Dashboard extends ConsumerWidget {
style: Theme.of(context).textTheme.labelSmall,
),
kVSpacer10,
IconButton(
isSelected: railIdx == 3,
onPressed: () {
ref.read(navRailIndexStateProvider.notifier).state = 3;
},
icon: const Icon(Icons.terminal_outlined),
selectedIcon: const Icon(Icons.terminal),
Badge(
backgroundColor: Theme.of(context).colorScheme.error,
isLabelVisible:
ref.watch(showTerminalBadgeProvider) && railIdx != 3,
child: IconButton(
isSelected: railIdx == 3,
onPressed: () {
ref.read(navRailIndexStateProvider.notifier).state =
3;
ref.read(showTerminalBadgeProvider.notifier).state =
false;
},
icon: const Icon(Icons.terminal_outlined),
selectedIcon: const Icon(Icons.terminal),
),
),
Text(
'Logs',

5
lib/screens/home_page/editor_pane/details_card/request_pane/request_pane_graphql.dart
View File

@@ -15,7 +15,7 @@ class EditGraphQLRequestPane extends ConsumerWidget {
@override
Widget build(BuildContext context, WidgetRef ref) {
final selectedId = ref.watch(selectedIdStateProvider);
var tabIndex = ref.watch(
final tabIndex = ref.watch(
selectedRequestModelProvider.select((value) => value?.requestTabIndex));
final codePaneVisible = ref.watch(codePaneVisibleStateProvider);
final headerLength = ref.watch(selectedRequestModelProvider
@@ -34,9 +34,6 @@ class EditGraphQLRequestPane extends ConsumerWidget {
final hasAuth = ref.watch(selectedRequestModelProvider.select((value) =>
value?.httpRequestModel?.authModel?.type != APIAuthType.none));
if (tabIndex >= 3) {
tabIndex = 0;
}
return RequestPane(
selectedId: selectedId,
codePaneVisible: codePaneVisible,

2
lib/services/hive_services.dart
View File

@@ -1,5 +1,5 @@
import 'package:flutter/foundation.dart';
import 'package:hive_flutter/hive_flutter.dart';
import 'package:hive_ce_flutter/hive_flutter.dart';
import 'secure_credential_storage.dart';
enum HiveBoxType { normal, lazy }

1
lib/utils/utils.dart
View File

@@ -8,4 +8,5 @@ export 'http_utils.dart';
export 'js_utils.dart';
export 'save_utils.dart';
export 'ui_utils.dart';
export 'validation_utils.dart';
export 'window_utils.dart';

18
lib/utils/validation_utils.dart Normal file
View File

@@ -0,0 +1,18 @@
import 'package:apidash_core/apidash_core.dart';
String? getValidationResult(HttpRequestModel requestModel) {
if (requestModel.url.trim().isEmpty) {
return 'Request URL is empty. Please provide a valid URL.';
}
if (requestModel.method == HTTPVerb.get && requestModel.hasAnyBody) {
return 'GET request contains a body. This is not supported.';
}
if (requestModel.hasJsonData) {
try {
kJsonDecoder.convert(requestModel.body!);
} catch (e) {
return 'Invalid JSON in request body: ${e.toString()}';
}
}
return null;
}

4
packages/better_networking/lib/models/http_request_model.dart
View File

@@ -47,6 +47,10 @@ class HttpRequestModel with _$HttpRequestModel {
bool get hasTextContentType => bodyContentType == ContentType.text;
int get contentLength => utf8.encode(body ?? "").length;
bool get hasBody => hasJsonData || hasTextData || hasFormData;
bool get hasAnyBody =>
(hasJsonContentType && contentLength > 0) ||
(hasTextContentType && contentLength > 0) ||
(hasFormDataContentType && formDataMapList.isNotEmpty);
bool get hasJsonData =>
kMethodsWithBody.contains(method) &&
hasJsonContentType &&

26
pubspec.lock
View File

@@ -844,14 +844,22 @@ packages:
url: "https://pub.dev"
source: hosted
version: "2.2.3"
hive_flutter:
dependency: "direct main"
hive_ce:
dependency: transitive
description:
name: hive_flutter
sha256: dca1da446b1d808a51689fb5d0c6c9510c0a2ba01e22805d492c73b68e33eecc
name: hive_ce
sha256: "81d39a03c4c0ba5938260a8c3547d2e71af59defecea21793d57fc3551f0d230"
url: "https://pub.dev"
source: hosted
version: "1.1.0"
version: "2.15.1"
hive_ce_flutter:
dependency: "direct main"
description:
name: hive_ce_flutter
sha256: "26d656c9e8974f0732f1d09020e2d7b08ba841b8961a02dbfb6caf01474b0e9a"
url: "https://pub.dev"
source: hosted
version: "2.3.3"
hooks_riverpod:
dependency: "direct main"
description:
@@ -944,6 +952,14 @@ packages:
url: "https://pub.dev"
source: hosted
version: "1.0.5"
isolate_channel:
dependency: transitive
description:
name: isolate_channel
sha256: f3d36f783b301e6b312c3450eeb2656b0e7d1db81331af2a151d9083a3f6b18d
url: "https://pub.dev"
source: hosted
version: "0.2.2+1"
jaspr:
dependency: transitive
description:

2
pubspec.yaml
View File

@@ -37,7 +37,7 @@ dependencies:
fvp: ^0.32.1
highlight: ^0.7.0
highlighter: ^0.1.1
hive_flutter: ^1.1.0
hive_ce_flutter: ^2.3.3
hooks_riverpod: ^2.5.2
intl: ^0.19.0
jinja: ^0.6.1

80
test/dashbot/services/openapi_import_service_test.dart
View File

@@ -31,6 +31,86 @@ void main() {
expect(summary, contains('POST'));
});
test('tryParseSpec handles problematic security field with empty arrays',
() {
const specWithEmptySecurityArray = '''
{
"openapi": "3.0.0",
"info": {
"title": "Cat Fact API",
"version": "1.0.0"
},
"paths": {
"/fact": {
"get": {
"responses": {
"200": {
"description": "Success"
}
}
}
}
},
"security": [[]]
}''';
final result =
OpenApiImportService.tryParseSpec(specWithEmptySecurityArray);
expect(result, isNotNull);
expect(result!.info.title, equals('Cat Fact API'));
expect(result.info.version, equals('1.0.0'));
expect(result.paths, isNotNull);
expect(result.paths!.keys, contains('/fact'));
});
test('tryParseSpec handles valid security field with actual requirements',
() {
const specWithRealSecurity = '''
{
"openapi": "3.0.0",
"info": {
"title": "Secured API",
"version": "1.0.0"
},
"paths": {
"/secured": {
"get": {
"responses": {
"200": {
"description": "Success"
}
}
}
}
},
"security": [
{
"api_key": []
}
]
}''';
final result = OpenApiImportService.tryParseSpec(specWithRealSecurity);
expect(result, isNotNull);
expect(result!.info.title, equals('Secured API'));
});
test('tryParseSpec returns null for invalid JSON', () {
const invalidSpec = 'not valid json';
final result = OpenApiImportService.tryParseSpec(invalidSpec);
expect(result, isNull);
});
test('tryParseSpec returns null for non-OpenAPI JSON', () {
const nonOpenApiSpec = '''
{
"notOpenApi": true,
"someField": "value"
}''';
final result = OpenApiImportService.tryParseSpec(nonOpenApiSpec);
expect(result, isNull);
});
test('extractSpecMeta includes endpoints & baseUrl', () {
final spec = OpenApiImportService.tryParseSpec(_specJson)!;
final meta = OpenApiImportService.extractSpecMeta(spec);