fix: send query languages strings in request body payload (#2807)

DmitryAnansky · web-flow · commit b877fef8f509 · 2026-05-11T19:35:50.000+03:00
diff --git a/.changeset/silent-words-divide.md b/.changeset/silent-words-divide.md
@@ -0,0 +1,5 @@
+---
+"@redocly/respect-core": patch
+---
+
+Fixed an issue where query-language strings (JSONPath, XPath, SPARQL, OPA) in Respect request bodies were incorrectly treated as runtime expressions.
diff --git a/packages/respect-core/src/modules/__tests__/runtime-expressions/evaluate.test.ts b/packages/respect-core/src/modules/__tests__/runtime-expressions/evaluate.test.ts
@@ -339,6 +339,33 @@ describe('evaluateRuntimeExpressionPayload', () => {
     ).toEqual('2023-12-15');
   });
 
+  it('should not evaluate query-language strings as runtime expressions', () => {
+    const payload = {
+      jsonpath: "$.items[*].attributes[?(@.type=='foo')]",
+      xpath: '$bookstore/book[price>35]/title',
+      sparql: 'SELECT $item WHERE { $item <http://example.com/type> "foo" }',
+      opa: 'data.items[_].type == "foo"',
+    };
+
+    expect(
+      evaluateRuntimeExpressionPayload({ payload, context: runtimeExpressionContext, logger })
+    ).toEqual(payload);
+  });
+
+  it('should evaluate {$faker.*} wrapped expression embedded in object payload', () => {
+    const payload = { x: '{$faker.number.integer({ min: 5, max: 5 })}' };
+    expect(
+      evaluateRuntimeExpressionPayload({ payload, context: runtimeExpressionContext, logger })
+    ).toEqual({ x: '5' });
+  });
+
+  it('should evaluate {$faker.*} wrapped expression mixed with surrounding text', () => {
+    const payload = '{$faker.number.integer({ min: 5, max: 5 })} suffix';
+    expect(
+      evaluateRuntimeExpressionPayload({ payload, context: runtimeExpressionContext, logger })
+    ).toEqual('5 suffix');
+  });
+
   it('should evaluate $faker runtime expression value', () => {
     const payload = '$faker.number.integer({ min: 1, max: 10 })';
     expect(
@@ -352,13 +379,13 @@ describe('evaluateRuntimeExpressionPayload', () => {
 
   it('should evaluate $faker inside string runtime expression value', () => {
     const payload = 'Some text {$faker.number.integer({ min: 1, max: 10 })}';
-    expect(
-      typeof evaluateRuntimeExpressionPayload({
-        payload,
-        context: runtimeExpressionContext,
-        logger,
-      })
-    ).toBe('string');
+    const result = evaluateRuntimeExpressionPayload({
+      payload,
+      context: runtimeExpressionContext,
+      logger,
+    });
+    expect(typeof result).toBe('string');
+    expect(result).toMatch(/^Some text \d+$/);
   });
 
   it('should evaluate multiword runtime expression value', () => {
@@ -607,9 +634,9 @@ describe('evaluateRuntimeExpression', () => {
 
   it('should evaluate $faker inside string runtime expression value', () => {
     const payload = 'Some text {$faker.number.integer({ min: 1, max: 10 })}';
-    expect(typeof evaluateRuntimeExpression(payload, runtimeExpressionContext, logger)).toBe(
-      'string'
-    );
+    const result = evaluateRuntimeExpression(payload, runtimeExpressionContext, logger);
+    expect(typeof result).toBe('string');
+    expect(result).toMatch(/^Some text \d+$/);
   });
 
   it('should evaluete list runtime expression value', () => {
diff --git a/packages/respect-core/src/modules/runtime-expressions/evaluate.ts b/packages/respect-core/src/modules/runtime-expressions/evaluate.ts
@@ -240,6 +240,10 @@ function evaluateExpressionsInString(
   return expression.replace(regex, (match) => {
     const exprToEvaluate = match.trim();
 
+    if (!isValidRuntimeExpression(exprToEvaluate) && !exprToEvaluate.includes('$faker.')) {
+      return match;
+    }
+
     // For dollar expressions, include the leading $ when passing to evaluateRuntimeExpression
     const evaluatedValue = evaluateRuntimeExpression(exprToEvaluate, context, logger);
 
@@ -249,9 +253,29 @@ function evaluateExpressionsInString(
 }
 
 export function isPureRuntimeExpression(expression: string): boolean {
-  // Regular expression to match runtime expressions
-  const regex = /^\$[^\s{}]+(\([^)]*\))?$|^\{[^{}]*\}$/;
+  const trimmedExpression = expression.trim();
+
+  if (trimmedExpression.startsWith('$faker.')) {
+    return true;
+  }
+
+  if (
+    !(
+      (trimmedExpression.startsWith('$') && !/\s/.test(trimmedExpression)) ||
+      (trimmedExpression.startsWith('{') && trimmedExpression.endsWith('}'))
+    )
+  ) {
+    return false;
+  }
+
+  return isValidRuntimeExpression(trimmedExpression);
+}
 
-  // Check if the expression matches the runtime expression format
-  return regex.test(expression.trim());
+function isValidRuntimeExpression(expression: string): boolean {
+  try {
+    lintExpression(expression);
+    return true;
+  } catch {
+    return false;
+  }
 }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@redocly/respect-core": patch
 +---
++
 +Fixed an issue where query-language strings (JSONPath, XPath, SPARQL, OPA) in Respect request bodies were incorrectly treated as runtime expressions.