OpenAPI Extension: Import Support for API paths ending with "/**"
56 views
Skip to first unread message
Rahul Pavithran
Oct 26, 2025, 10:14:40 PM (10 days ago) Oct 26
to ZAP Developer Group
Hi ZAP team, hope everyone is doing well.
Example file I used for local testing:
{
"openapi": "3.0.1",
"info": {
"title": "Demo Server API",
"version": "1.0.0",
"description": "OpenAPI specification generated from the FastAPI routes in `hello.py`.\n\nRoutes:\n- GET / -> returns a simple Hello World JSON.\n- GET /items/{item_id} -> returns the item id and optional query parameter `q`."
},
"servers": [
{
"url": "http://localhost:8000",
"description": "Local development server"
}
],
"paths": {
"/health/**": {
"get": {
"summary": "Root endpoint",
"operationId": "read_root",
"responses": {
"200": {
"description": "Successful Response",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"Hello": {
"type": "string",
"example": "World"
}
},
"required": ["Hello"]
}
}
}
}
}
}
},
"/items/{item_id}": {
"get": {
"summary": "Get an item by id",
"operationId": "read_item",
"parameters": [
{
"name": "item_id",
"in": "path",
"required": true,
"schema": {
"type": "integer",
"format": "int32"
},
"description": "Numeric ID of the item to get"
},
{
"name": "q",
"in": "query",
"required": false,
"schema": {
"type": "string"
},
"description": "Optional query string"
}
],
"responses": {
"200": {
"description": "Successful Response",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"item_id": {
"type": "integer",
"format": "int32",
"example": 42
},
"q": {
"type": "string",
"nullable": true,
"example": "search"
}
},
"required": ["item_id"]
}
}
}
},
"404": {
"description": "Item not found"
}
}
}
}
},
"components": {}
}
ZAP is used by my organization for DAST scanning. We have some openAPI specification files (JSON format) that contain paths ending with "/**", most likely a result of auto generation by the framework tools.
While the abovementioned files are successfully validated by the Swagger editor and the Python openapi-spec-validator package, for some reason the OpenAPI extension fails to import the file with the following error:
`java.util.regex.PatternSyntaxException: Dangling meta character '*' near index n`
where n is the position of the character on the affected line in the openapi file.
I would like to know if this path format is intended to be supported by the OpenAPI addon either presently or in the future?
Do let me know if any additional information would be helpful towards your response. Thanks again!
I would like to know if this path format is intended to be supported by the OpenAPI addon either presently or in the future?
Do let me know if any additional information would be helpful towards your response. Thanks again!
Versions Used:
ZAP - 2.16.0
OpenAPI Extension - v44
JAVA - OpenJDK 17.0.15
Operating System: Windows (Local), Linux (Custom Docker container)
We primarily perform the import via zaproxy Python API (zap.openapi.import_file(file_path, context_id=context_id)) but also tested via UI.
We primarily perform the import via zaproxy Python API (zap.openapi.import_file(file_path, context_id=context_id)) but also tested via UI.
Example file I used for local testing:
{
"openapi": "3.0.1",
"info": {
"title": "Demo Server API",
"version": "1.0.0",
"description": "OpenAPI specification generated from the FastAPI routes in `hello.py`.\n\nRoutes:\n- GET / -> returns a simple Hello World JSON.\n- GET /items/{item_id} -> returns the item id and optional query parameter `q`."
},
"servers": [
{
"url": "http://localhost:8000",
"description": "Local development server"
}
],
"paths": {
"/health/**": {
"get": {
"summary": "Root endpoint",
"operationId": "read_root",
"responses": {
"200": {
"description": "Successful Response",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"Hello": {
"type": "string",
"example": "World"
}
},
"required": ["Hello"]
}
}
}
}
}
}
},
"/items/{item_id}": {
"get": {
"summary": "Get an item by id",
"operationId": "read_item",
"parameters": [
{
"name": "item_id",
"in": "path",
"required": true,
"schema": {
"type": "integer",
"format": "int32"
},
"description": "Numeric ID of the item to get"
},
{
"name": "q",
"in": "query",
"required": false,
"schema": {
"type": "string"
},
"description": "Optional query string"
}
],
"responses": {
"200": {
"description": "Successful Response",
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"item_id": {
"type": "integer",
"format": "int32",
"example": 42
},
"q": {
"type": "string",
"nullable": true,
"example": "search"
}
},
"required": ["item_id"]
}
}
}
},
"404": {
"description": "Item not found"
}
}
}
}
},
"components": {}
}
thc202
Oct 27, 2025, 5:04:24 AM (10 days ago) Oct 27
to zaproxy...@googlegroups.com
Hi,
That's a bug in the add-on, feel free to open an issue.
Note that usage questions (even if bugs) are better asked in the User
Group: https://groups.google.com/g/zaproxy-users/
Best regards.
On 27/10/2025 01:00, Rahul Pavithran wrote:
> Hi ZAP team, hope everyone is doing well.
>
> ZAP is used by my organization for DAST scanning. We have some openAPI
> specification files (JSON format) that contain paths ending with "/**",
> most likely a result of auto generation by the framework tools.
>
> While the abovementioned files are successfully validated by the Swagger
> editor and the Python openapi-spec-validator package, for some reason the
> OpenAPI extension fails to import the file with the following error:
>
> *`java.util.regex.PatternSyntaxException: Dangling meta character '*' near
> index n`*
> {
That's a bug in the add-on, feel free to open an issue.
Note that usage questions (even if bugs) are better asked in the User
Group: https://groups.google.com/g/zaproxy-users/
Best regards.
On 27/10/2025 01:00, Rahul Pavithran wrote:
> Hi ZAP team, hope everyone is doing well.
>
> ZAP is used by my organization for DAST scanning. We have some openAPI
> specification files (JSON format) that contain paths ending with "/**",
> most likely a result of auto generation by the framework tools.
>
> While the abovementioned files are successfully validated by the Swagger
> editor and the Python openapi-spec-validator package, for some reason the
> OpenAPI extension fails to import the file with the following error:
>
> index n`*
>
> where n is the position of the character on the affected line in the
> openapi file.
>
> I would like to know if this path format is intended to be supported by the
> OpenAPI addon either presently or in the future?
>
> Do let me know if any additional information would be helpful towards your
> response. Thanks again!
>
> *Versions Used:*
> where n is the position of the character on the affected line in the
> openapi file.
>
> I would like to know if this path format is intended to be supported by the
> OpenAPI addon either presently or in the future?
>
> Do let me know if any additional information would be helpful towards your
> response. Thanks again!
>
> ZAP - 2.16.0
> OpenAPI Extension - v44
> JAVA - OpenJDK 17.0.15
> Operating System: Windows (Local), Linux (Custom Docker container)
>
> We primarily perform the import via zaproxy Python API
> (zap.openapi.import_file(file_path, context_id=context_id)) but also tested
> via UI.
>
>
> *Example file I used for local testing:*
> OpenAPI Extension - v44
> JAVA - OpenJDK 17.0.15
> Operating System: Windows (Local), Linux (Custom Docker container)
>
> We primarily perform the import via zaproxy Python API
> (zap.openapi.import_file(file_path, context_id=context_id)) but also tested
> via UI.
>
>
> {
Rahul Pavithran
Oct 27, 2025, 7:36:36 AM (10 days ago) Oct 27
to ZAP Developer Group
Issue created on zaproxy GitHub:
Issue #9105 · zaproxy/zaproxy
I was not aware what would be the right group to report suspected bugs at but will use the users group going forward.
I was not aware what would be the right group to report suspected bugs at but will use the users group going forward.
Thanks for your time and quick response, @thc202!
Rahul Pavithran
Oct 27, 2025, 8:58:06 PM (9 days ago) Oct 27
to ZAP Developer Group
I see that the fix has been merged. Thanks again for the quick action, @thc202.
While we wait for the next openapi extension release, would you have any suggestions for a temporary workaround?
thc202
Oct 28, 2025, 4:36:12 AM (9 days ago) Oct 28
to zaproxy...@googlegroups.com
The fix is already included in the weekly and nightly releases.
The add-on should be released to 2.16 next week if not sooner.
Best regards.
On 28/10/2025 00:58, Rahul Pavithran wrote:
> I see that the fix has been merged. Thanks again for the quick action,
> @thc202.
>
> While we wait for the next openapi extension release, would you have any
> suggestions for a temporary workaround?
>
> On Monday, October 27, 2025 at 7:36:36 AM UTC-4 Rahul Pavithran wrote:
>
>> Issue created on zaproxy GitHub: Issue #9105 · zaproxy/zaproxy
>> <https://github.com/zaproxy/zaproxy/issues/9105>
The add-on should be released to 2.16 next week if not sooner.
Best regards.
On 28/10/2025 00:58, Rahul Pavithran wrote:
> I see that the fix has been merged. Thanks again for the quick action,
> @thc202.
>
> While we wait for the next openapi extension release, would you have any
> suggestions for a temporary workaround?
>
> On Monday, October 27, 2025 at 7:36:36 AM UTC-4 Rahul Pavithran wrote:
>
>> Issue created on zaproxy GitHub: Issue #9105 · zaproxy/zaproxy
Reply all
Reply to author
Forward
0 new messages