schema with error can be used for validation

Schema with mistake loads without throwing any error, and errors doesn't get recognized untils there's an instance being validated against it.

schema = {
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "required": [
    "foo"
  ],
  "properties": {
    "foo": {
      "$ref": "#/definitions/FooFoo"
    }
  },
  "definitions": {
    "Foo": {
      "type": "object",
      "required": [
        "bar"
      ],
      "properties": {
        "bar": {
          "type": "string"
        }
      }
    }
  }
}

Draft4Validator(schema).validate({})  #Throws validation error
Draft4Validator(schema).validate({"foo": {"bar": "baz"}}) #Throws RefResolutionError

[Julian]

Hi.

This is more or less intended behavior.

$ref loading is lazy, so until it's looked up, there's no error, and the spec doesn't say that schemas with invalid refs are invalid (which would be essentially impossible to do for any $ref that is remote).

Also note that even besides this particular issue, passing a schema to a validator doesn't validate it. If you are unsure it's valid, you need to call check_schema on it.

@Julian thanks for comment.

I'm trying to build an application where it first accepts jsonschema, and then incoming json data is validated against this schema.

I wanted to fail in the first step, where if schema is invalid, e.g. ref doesn't exists, fail and return appropriate error. check_schema doesn't return errors in this case.

[Julian]

In that case I'd recommend catching the RefResolutionError -- you're going to need to do something similar for the case where there's a remote schema there and somehow the network fails while retrieving it.

Alternatively, there are I believe some libraries (on top of this one) that will essentially de-reference a schema ahead of time, so you could try one of those, and run it on the schema right after you get it, which should give you an immediate error.

Note by the way that accepting arbitrary JSON schemas from untrusted users isn't safe without sandboxing by the way.