kin-openapi
kin-openapi copied to clipboard
getkin
Request validation does not work correctly with "additionalProperties: false"
Background
OpenAPI v3 defines additionalProperties attribute as
Value can be boolean or object. Inline or referenced schema MUST be of a Schema Object and not a standard JSON Schema. Consistent with JSON Schema, additionalProperties defaults to true.
Problem
additionalProperties: false is not taken into account when validating JSON - a payload with attributes that are not listed in schema will still be valid.
It only happens when additionalProperties is declared inside anyOf / allOf block
Steps to reproduce
package main
import (
"encoding/json"
"fmt"
"github.com/getkin/kin-openapi/openapi3"
)
func main() {
payload := map[string]interface{}{
"prop1": "val",
"prop3": "val",
}
schemas := []string{`
{
"type": "object",
"additionalProperties": false,
"required": ["prop1"],
"properties": {
"prop1": {
"type": "string"
}
}
}`, `{
"anyOf": [
{
"type": "object",
"additionalProperties": false,
"required": ["prop1"],
"properties": {
"prop1": {
"type": "string"
}
}
},
{
"type": "object",
"additionalProperties": false,
"properties": {
"prop2": {
"type": "string"
}
}
}
],
}
`}
for _, jsonSchema := range schemas {
var dataSchema openapi3.Schema
json.Unmarshal([]byte(jsonSchema), &dataSchema)
err := dataSchema.VisitJSON(payload)
fmt.Println("err", err)
}
}
Result
- first test will fail with "Property 'prop3' is unsupported" (correct)
- second test will pass (incorrect)
