[KOTLIN-SPRING;KOTLIN-KTOR] - Fix some issues similar to CVE-2026-22785

[Picazsoo]

PR checklist

• Read the contribution guidelines.
• Run the following to build the project and update samples:

  ./mvnw clean package || exit
  ./bin/generate-samples.sh ./bin/configs/*.yaml || exit
  ./bin/utils/export_docs_generators.sh || exit
  

  (For Windows users, please run the script in WSL)
  Commit all changed files.
  This is important, as CI jobs will verify all generator outputs of your HEAD commit as it would merge with master.
  These must match the expectations made by your contribution.
  You may regenerate an individual generator by passing the relevant config(s) as an argument to the script, for example ./bin/generate-samples.sh bin/configs/java*.
  IMPORTANT: Do NOT purge/delete any folders/files (e.g. tests) when regenerating the samples as manually written tests may be removed.
• If your PR is targeting a particular programming language, @mention the technical committee members, so they are more likely to review the pull request.

---

Summary by cubic

Hardened Kotlin generators to block OpenAPI-driven code injection in descriptions and examples for kotlin-spring and kotlin-server (ktor/ktor2), addressing the same class as CVE-2026-22785. kotlin-spring now renders descriptions and interface property examples as escaped normal strings; ktor examples in triple-quoted strings are escaped to prevent interpolation and triple-quote breakouts.

• Bug Fixes
  • AbstractKotlinCodegen: added Mustache lambdas escapeInNormalString (escapes , $, ", newlines) and escapeInTripleQuotedString (escapes $ and triple quotes).
  • kotlin-spring: switched @Operation.description to escaped normal strings; escaped descriptions in @Schema, @ApiModelProperty, and @Parameter across API/model and parameter templates (including declarative HTTP); escaped interface property example values in schema annotations.
  • kotlin-server (ktor/ktor2): applied {{#lambda.escapeInTripleQuotedString}}...{{/lambda.escapeInTripleQuotedString}} around response example values to block interpolation and triple-quote injection.
  • Tests/samples: added CVE-style regression specs (ktor injection and worst-case escaping), updated multi-line description assertions for escaped format, and regenerated samples.

^{Written for commit 033a41e. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 52 files

_{Re-trigger cubic}

[cubic-dev-ai]

2 issues found across 51 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="modules/openapi-generator/src/main/resources/kotlin-server/libraries/ktor2/_response.mustache">

<violation number="1" location="modules/openapi-generator/src/main/resources/kotlin-server/libraries/ktor2/_response.mustache:2">
P1: Incomplete escaping in triple-quoted string: `escapeInTripleQuotedString` does not neutralize `"""`, allowing raw-string breakout from attacker-controlled example content.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[cubic-dev-ai]

P1: Incomplete escaping in triple-quoted string: escapeInTripleQuotedString does not neutralize """, allowing raw-string breakout from attacker-controlled example content.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At modules/openapi-generator/src/main/resources/kotlin-server/libraries/ktor2/_response.mustache, line 2:

<comment>Incomplete escaping in triple-quoted string: `escapeInTripleQuotedString` does not neutralize `"""`, allowing raw-string breakout from attacker-controlled example content.</comment>

<file context>
@@ -1,5 +1,5 @@
 val exampleContentType = "{{{contentType}}}"
-val exampleContentString = """{{&example}}"""
+val exampleContentString = """{{#lambda.escapeInTripleQuotedString}}{{&example}}{{/lambda.escapeInTripleQuotedString}}"""
 
 when (exampleContentType) {
</file context>