Skip to content
This repository has been archived by the owner on Aug 4, 2023. It is now read-only.

Strict validation mode for undefined parameters? #181

Open
jfexyz opened this issue Mar 15, 2015 · 8 comments
Open

Strict validation mode for undefined parameters? #181

jfexyz opened this issue Mar 15, 2015 · 8 comments

Comments

@jfexyz
Copy link

jfexyz commented Mar 15, 2015

I wonder if it would be useful to have a strict validation mode for input parameters? This way the API could automatically respond with an error if params are included that are not defined in the Swagger spec (validation right now is only for type/format/required). This could be really useful for query, body, and formData parameter types. Probably not so desirable for header params, and not really relevant to path parameters (which already get validated fully).

As it stands right now, controller code has to revalidate passed parameters before saving (you can't just use the body or formData and stick it in a db, as even unspecified fields get saved). Same with query parameters: unspecified ones have to be validated and omitted manually, and the controller needs to return their own errors here so as not to confuse API consumers.

Any thoughts?

@theganyo
Copy link
Contributor

+1. That sounds like a useful tool to me.

@whitlockjc
Copy link
Member

Sounds useful to me as well.

@prabhatjha
Copy link

+1. (thumbsup)

@pavb74
Copy link

pavb74 commented Mar 31, 2016

+1

@SandeepNadella
Copy link

Any other library which provides this feature?

@whitlockjc
Copy link
Member

Not that I'm aware of. I created an issue here: apigee-127/sway#94

@jmichel84
Copy link

+1 Would really need this, having to double check everything before saving to the db is a pain.

@markusenglund
Copy link

markusenglund commented Jan 28, 2019

To anyone coming here from google:

This feature basically already exists, although you have to opt in to it on each route by setting additionalProperties: false in your Swagger specification. This will cause the API to respond with an error if the request includes properties that are not defined in your spec. This can for example allow you to just stick the body right in the db without having to revalidate the parameters to prevent an attacker from sending whatever they want into the db.

Here's an example of a specification in yaml:

  /api/example:
    post:
      - name: things
        in: body
        required: true
        schema:
          type: object
          properties:
            id:
              type: integer
              format: int64
            name:
              type: string
          additionalProperties: false

Notice the last line. Swagger-tools will now prevent anyone from sending properties on the body other than id and name.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

8 participants