acacode · FDiskas · Aug 20, 2025 · Aug 20, 2025 · Aug 20, 2025 · Aug 20, 2025
diff --git a/.changeset/famous-poets-reply.md b/.changeset/famous-poets-reply.md
@@ -0,0 +1,5 @@
+---
+"swagger-typescript-api": patch
+---
+
+Fix JSDoc comment security vulnerability: escape only necessary `*/` sequences to prevent code injection while reducing noise in generated documentation
diff --git a/src/code-gen-process.ts b/src/code-gen-process.ts
@@ -223,6 +223,8 @@ export class CodeGenProcess {
         Ts: this.config.Ts,
         formatDescription:
           this.schemaParserFabric.schemaFormatters.formatDescription,
+        escapeJSDocContent:
+          this.schemaParserFabric.schemaFormatters.escapeJSDocContent,
         internalCase: internalCase,
         classNameCase: pascalCase,
         pascalCase: pascalCase,

diff --git a/src/schema-parser/schema-formatters.ts b/src/schema-parser/schema-formatters.ts
@@ -102,18 +102,28 @@ export class SchemaFormatters {
     return formatterFn?.(parsedSchema) || parsedSchema;
   };
 
+  escapeJSDocContent = (content) => {
+    if (!content) return "";
+    // Escape */ sequences to prevent breaking out of JSDoc comments
+    // Note: /* sequences inside JSDoc comments are harmless and don't need escaping
+    return content.replace(/\*\//g, "*\\/");
+  };
+
   formatDescription = (description, inline) => {
     if (!description) return "";
 
-    const hasMultipleLines = description.includes("\n");
+    // Always escape JSDoc comment characters (function is idempotent)
+    const escapedDescription = this.escapeJSDocContent(description);
+
+    const hasMultipleLines = escapedDescription.includes("\n");
 
-    if (!hasMultipleLines) return description;
+    if (!hasMultipleLines) return escapedDescription;
 
     if (inline) {
       return (
         lodash
           // @ts-expect-error TS(2339) FIXME: Property '_' does not exist on type 'LoDashStatic'... Remove this comment to see the full error message
-          ._(description)
+          ._(escapedDescription)
           .split(/\n/g)
           .map((part) => part.trim())
           .compact()
@@ -122,7 +132,7 @@ export class SchemaFormatters {
       );
     }
 
-    return description.replace(/\n$/g, "");
+    return escapedDescription.replace(/\n$/g, "");
   };
 
   formatObjectContent = (content) => {

diff --git a/templates/base/object-field-jsdoc.ejs b/templates/base/object-field-jsdoc.ejs
@@ -1,18 +1,19 @@
+
 <%
 const { field, utils } = it;
-const { formatDescription, require, _ } = utils;
+const { formatDescription, escapeJSDocContent, require, _ } = utils;
 
 const comments = _.uniq(
     _.compact([
-        field.title,
-        field.description,
+        field.title && escapeJSDocContent(field.title),
+        field.description && escapeJSDocContent(field.description),
         field.deprecated && ` * @deprecated`,
         !_.isUndefined(field.format) && `@format ${field.format}`,
         !_.isUndefined(field.minimum) && `@min ${field.minimum}`,
         !_.isUndefined(field.maximum) && `@max ${field.maximum}`,
-        !_.isUndefined(field.pattern) && `@pattern ${field.pattern}`,
+        !_.isUndefined(field.pattern) && `@pattern ${escapeJSDocContent(field.pattern)}`,
         !_.isUndefined(field.example) &&
-        `@example ${_.isObject(field.example) ? JSON.stringify(field.example) : field.example}`,
+        `@example ${_.isObject(field.example) ? JSON.stringify(field.example) : escapeJSDocContent(field.example)}`,
     ]).reduce((acc, comment) => [...acc, ...comment.split(/\n/g)], []),
 );
 %>

diff --git a/templates/base/route-docs.ejs b/templates/base/route-docs.ejs
@@ -1,6 +1,6 @@
 <%
 const { config, route, utils } = it;
-const { _, formatDescription, fmtToJSDocLine, pascalCase, require } = utils;
+const { _, formatDescription, escapeJSDocContent, fmtToJSDocLine, pascalCase, require } = utils;
 const { raw, request, routeName } = route;
 
 const jsDocDescription = raw.description ?
@@ -9,7 +9,7 @@ const jsDocDescription = raw.description ?
 const jsDocLines = _.compact([
     _.size(raw.tags) && ` * @tags ${raw.tags.join(", ")}`,
     ` * @name ${pascalCase(routeName.usage)}`,
-    raw.summary && ` * @summary ${raw.summary}`,
+    raw.summary && ` * @summary ${formatDescription(raw.summary, true)}`,
     ` * @request ${_.upperCase(request.method)}:${raw.route}`,
     raw.deprecated && ` * @deprecated`,
     routeName.duplicate && ` * @originalName ${routeName.original}`,
@@ -18,7 +18,7 @@ const jsDocLines = _.compact([
     ...(config.generateResponses && raw.responsesTypes.length
     ? raw.responsesTypes.map(
         ({ type, status, description, isSuccess }) =>
-            ` * @response \`${status}\` \`${_.replace(_.replace(type, /\/\*/g, "\\*"), /\*\//g, "*\\")}\` ${description}`,
+            ` * @response \`${status}\` \`${_.replace(_.replace(type, /\/\*/g, "\\*"), /\*\//g, "*\\")}\` ${formatDescription(description, true)}`,
         )
     : []),
 ]).map(str => str.trimEnd()).join("\n");