serialize OpenAPI spec parsing to prevent cross-contamination in concurrent environments

Author: Picazsoo

modules/openapi-generator-maven-plugin/src/main/java/org/openapitools/codegen/plugin/CodeGenMojo.java

@@ -22,10 +22,12 @@
 import io.swagger.parser.OpenAPIParser;
 import io.swagger.v3.core.util.Json;
 import io.swagger.v3.core.util.Yaml;
+import io.swagger.v3.oas.models.OpenAPI;
 import io.swagger.v3.parser.OpenAPIResolver;
 import io.swagger.v3.parser.OpenAPIV3Parser;
 import io.swagger.v3.parser.core.models.AuthorizationValue;
 import io.swagger.v3.parser.core.models.ParseOptions;
+import io.swagger.v3.parser.core.models.SwaggerParseResult;
 import lombok.Setter;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.io.FilenameUtils;
@@ -1046,9 +1048,12 @@ private String calculateInputSpecHash(String inputSpec) {
         final URL remoteUrl = inputSpecRemoteUrl();
         final List<AuthorizationValue> authorizationValues = AuthParser.parse(this.auth);
 
+        final SwaggerParseResult parseResult;
+        synchronized (CodegenConfigurator.SPEC_PARSE_LOCK) {
+            parseResult = new OpenAPIParser().readLocation(remoteUrl == null ? inputSpec : remoteUrl.toString(), authorizationValues, parseOptions);
+        }
         return Hashing.sha256().hashBytes(
-                new OpenAPIParser().readLocation(remoteUrl == null ? inputSpec : remoteUrl.toString(), authorizationValues, parseOptions)
-                        .getOpenAPI().toString().getBytes(StandardCharsets.UTF_8)
+                parseResult.getOpenAPI().toString().getBytes(StandardCharsets.UTF_8)
         ).toString();
     }
 
@@ -1137,7 +1142,10 @@ private Path createCollapsedSpec() throws MojoExecutionException {
         parseOptions.setResolve(true);
         final List<AuthorizationValue> authorizationValues = AuthParser.parse(this.auth);
 
-        final var openApiMerged = new OpenAPIResolver(new OpenAPIV3Parser().readLocation(inputSpec, authorizationValues, parseOptions).getOpenAPI()).resolve();
+        final OpenAPI openApiMerged;
+        synchronized (CodegenConfigurator.SPEC_PARSE_LOCK) {
+            openApiMerged = new OpenAPIResolver(new OpenAPIV3Parser().readLocation(inputSpec, authorizationValues, parseOptions).getOpenAPI()).resolve();
+        }
 
         // Switch based on JSON or YAML.
         final var extension = inputSpec.toLowerCase(Locale.ROOT).endsWith(".json") ? ".json" : ".yaml";

modules/openapi-generator/src/main/java/org/openapitools/codegen/config/CodegenConfigurator.java

@@ -57,6 +57,12 @@ public class CodegenConfigurator {
 
     public static final Logger LOGGER = LoggerFactory.getLogger(CodegenConfigurator.class);
 
+    // swagger-parser's OAS 3.1 dereferencer (OpenAPIDereferencer31) is a singleton with mutable
+    // instance state, making concurrent spec parsing unsafe. This lock serializes readLocation()
+    // calls to avoid cross-contamination of OpenAPI objects between concurrent generators (e.g.
+    // GenerateBatch thread pool or parallel Maven module builds in mvnd).
+    public static final Object SPEC_PARSE_LOCK = new Object();
+
     private GeneratorSettings.Builder generatorSettingsBuilder = GeneratorSettings.newBuilder();
     private WorkflowSettings.Builder workflowSettingsBuilder = WorkflowSettings.newBuilder();
 
@@ -684,7 +690,14 @@ public Context<?> toContext() {
         ParseOptions options = new ParseOptions();
         options.setResolve(true);
         options.setResolveResponses(true);
-        SwaggerParseResult result = new OpenAPIParser().readLocation(inputSpec, authorizationValues, options);
+        // Serialize spec parsing: swagger-parser's OAS 3.1 dereferencer singleton (OpenAPIDereferencer31)
+        // has mutable instance fields (openAPI, result) written during dereference(). Concurrent calls
+        // from GenerateBatch threads race on those fields, causing one generator to receive another's
+        // OpenAPI object. Serializing readLocation() here prevents that cross-contamination.
+        SwaggerParseResult result;
+        synchronized (SPEC_PARSE_LOCK) {
+            result = new OpenAPIParser().readLocation(inputSpec, authorizationValues, options);
+        }
 
         // TODO: Move custom validations to a separate type as part of a "Workflow"
         Set<String> validationMessages = new HashSet<>(null != result.getMessages() ? result.getMessages() : new ArrayList<>());