open-api icon indicating copy to clipboard operation
open-api copied to clipboard
verified publisher icon kogosoftwarellc

parameter fails to validate when specified as a $ref

Open cdimascio opened this issue 6 years ago • 6 comments

Parameters specified as a $ref are not validated

Here is an example

Define the following parameter under components.parameters

components:
  parameters:
    id:
      name: id
      in: path
      description: ID of pet to fetch
      required: true
      schema:
        type: integer
        format: int64

Use the parameter in a route:

paths:
  /pets/{id}:
    get:
      description: Returns a user based on a single ID, if the user does not have access to the pet
      operationId: find pet by id
      parameters:
        - $ref: '#/components/parameters/id'

The component #/components/parameters/id' is not validated. It works if the component is placed inline without using a ref. This is not desirable given parameters may be specified generally as a ref

cdimascio avatar Jul 04 '19 00:07 cdimascio

+1

giowe avatar Dec 19 '19 16:12 giowe

feel free to open a pr

jsdevel avatar Jan 08 '20 17:01 jsdevel

This is a major issue for us at $work, I'm really quite surprised that it seemingly isn't an issue for more users. I'm happy to do the work to fix it but I must admit I've had a hard time tracking down where the resolution of that ref would happen. Can someone give me some pointers for where to start looking?

jberger avatar Feb 10 '20 20:02 jberger

@jberger i'd look at the parameters package, and the request validation package.

jsdevel avatar Feb 10 '20 20:02 jsdevel

I had assumed there was a centralized $ref parser in action somewhere. After finding a series of commits that enabled $ref in response bodies (I think it was) I've decided that I'm not the right person to poke this particular $ref bug. For the future reader, I've switched to pre-parsing my schema doc with json-schema-ref-parser and then passing that to express-openapi. It seems to work well for me so far. Cheers.

jberger avatar Feb 17 '20 15:02 jberger

I think this is another case of this kind of error, since @jberger said that is a centralized error.

openapi: 3.0.1
info:
  title: Herency Example
  version: 1.0.0
paths: {}
components:
  schemas:
    ItemBase:
      type: object
      properties:
        name:
          type: string
    Item:
      allOf:
        - $ref: '#/components/schemas/ItemBase'
        - type: object
          properties:
            color:
              type: string
        - required: [name]
        - additionalProperties: false

If I try to validate a body with the key name it fails because additionalProperties: false. But if I don't send name, it fails because it's required.

I guess that is because is reading only in his schema level, and is not recursive the validation.

But the schema is well formed, in the Swagger UI you can see it full.

image

Gabrirf avatar Sep 10 '21 13:09 Gabrirf