express-openapi-validator icon indicating copy to clipboard operation
express-openapi-validator copied to clipboard
verified publisher icon cdimascio

additionalProperties should default to false (not true) even if undefined

Open zachweinberg opened this issue 3 years ago • 0 comments

Describe the bug Right now if you define a route that does not have the additionalProperties key defined, the middleware will allow random properties to be sent to the route. This is a security risk. The only way to block these random properties is to not forget to set additionalProperties: false. As of today, it defaults to true when missing which is not safe. Users should have to explicitly allow additional properties in their schema.

To Reproduce

  1. Create a route in the API schema
  2. Do not add additionalProperties: boolean to the route
  3. Make a request to the route using a param that is not defined in the route
  4. Observe that request is allowed

zachweinberg avatar Apr 04 '22 11:04 zachweinberg