I posted a dataset, but cannot retrieve it.

curl --location --request GET 'https://live.virtualandemo.com/api/persons/hfrüh'

Instead it gives me the data for "bgates".

Description

I have a Swagger 2.0 API specification that has the following query parameter defied:

- name: "productIds"
  in: "query"
  description: "..."
  type: array
  items:
    type: integer
    format: int32
  collectionFormat: "multi"
  minItems: 0  
  maxItems: 10

Based on Virtualan docs I generated the Java classes, with the necessary annotations in place with the openapi-generator-maven-plugin:5.4.0.

My setting are:

<execution>
	<id>Api</id>
	<goals>
		<goal>generate</goal>
	</goals>
	<configuration>
		<inputSpec>${project.basedir}/src/main/resources/openapi/virtual/api.yaml
		</inputSpec>
		<generatorName>spring</generatorName>
		<output>${project.basedir}</output>
		<modelPackage>com.xxx.yyy.model</modelPackage>
		<apiPackage>com.xxx.yyy.api</apiPackage>
		<invokerPackage>com.xxx.yyy.swagger</invokerPackage>
		<skipValidateSpec>false</skipValidateSpec>
		<strictSpec>true</strictSpec>
		<generateApiDocumentation>false</generateApiDocumentation>
		<generateModelDocumentation>true</generateModelDocumentation>
		<configOptions>
			<virtualService>true</virtualService>
			<sourceFolder>target/generated-sources/openapi/src/main/java</sourceFolder>
			<configPackage>com.xxx.yyy.swagger</configPackage>
		</configOptions>
		<skipOverwrite>true</skipOverwrite>
	</configuration>
</execution>

The generation is successful, Classes are annotated with @VirtualService on class level and @ApiVirtual on method level as expected.

Reproduce issue

I start the spring-boot application and I

• Navigate to virtualan-ui
• Add mock data (successful)
• Try invoke virtualized endpoint with parameters I given upon mock definition

As above mentioned one of the query parameters are as follows,

productIds
array[integer]
(query)

when I provide the defined query parameters here, the invocation will result the following exception:

java.lang.ClassCastException: class java.lang.Integer cannot be cast to class java.lang.CharSequence (java.lang.Integer and java.lang.CharSequence are in module java.base of loader 'bootstrap')
    at java.base/java.lang.String.join(Unknown Source)
    at io.virtualan.aop.ApiVirtualAspect.addQueryParamValue(ApiVirtualAspect.java:84)
    at io.virtualan.aop.ApiVirtualAspect$GetParams.invoke(ApiVirtualAspect.java:271)
    at io.virtualan.aop.ApiVirtualAspect.readInputParam(ApiVirtualAspect.java:171)
    at io.virtualan.aop.ApiVirtualAspect.aroundAddAdvice(ApiVirtualAspect.java:113)
    at jdk.internal.reflect.GeneratedMethodAccessor371.invoke(Unknown Source)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.base/java.lang.reflect.Method.invoke(Unknown Source)
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:634)
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:624)
    at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:72)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:175)
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:750)
    at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
...

For me, it seems the method in question:

public String addQueryParamValue(Object value) {
        return String.join(",", (java.util.List) value);
    }

tries to apply a String join on an integer, which results the above described exception,
while join would be applicable to

public static String join(@NotNull CharSequence delimiter,
                          @NotNull Iterable<? extends CharSequence> elements)

I think it would be useful if you did not have to define all test data.
It would be nice, if you would have a configuration parameter, with which you can decide, that Virtualan
gives the sample data from an OAS3 specification as default response instead of an error message for undefined requests.

Security analysis of the current virtualan-plugin detects a vulnerability in the third party js library angular 1.5.5.
Nexus IQ identifies the threat with high-severity.

Issue
sonatype-2016-0064
Severity
Sonatype CVSS 38.5
CVE CVSS 2.00.0
Weakness
Sonatype CWE79

Explanation
The AngularJS framework is vulnerable to Remote Code Execution (RCE) and Cross-Site Scripting (XSS). The ensureSafeAssignContext() function in parse.js processes malicious expressions that access the constructors. A remote attacker can exploit this vulnerability by crafting malicious expressions that, when processed, result in execution of arbitrary code.

@elans3
Could you please review this? Thanks

Description

I have mock responses defined with virtualan-plugin. These mock responses are created with virtualan UI on the Add Mock screen, for OpenAPI specification that was used to generate virtual APIs in my application.

Mock responses are added successfully, mock responses can be retrieves successfully in the Overall Catalog, with virtual-service-controller and the [GET] /virtualservices - listAllMockLoadRequests.

Example:

As you can see the mock response stored formatted with e.g. \n white space characters.
The issue is that when a client calls this endpoint the mock response will return 'as is' and for example in Jackson parser this will trigger an unescaped control character error.

Would it be possible to remove these special characters when you store it and only perform formatting on the UI when you display the JSON content?