Improve additional property validation

Fabrice Gabolde

I have come across this issue (and related others, e.g. https://bitbucket.org/atlassian/swagger-request-validator/issues/208/add-ability-to-ignore-extra-properties-of) while investigating why many of my responses failed validation even though they seemed fine.

It seems swagger-request-validator considers additionalProperties: false to be the default value when unspecified? But reading through the Swagger 2 spec here:

https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#schema-object

it refers to the JSON Schema spec for validation of additional properties, which in turn has this to say:

https://json-schema.org/latest/json-schema-validation.html#rfc.section.6.5.6

"Omitting this keyword has the same behavior as an empty schema." (which is also the behavior of additionalProperties: true, since true is a JSON Schema that always passes validation).

So it seems swagger-request-validator is doing the opposite of the intent of Swagger 2 here? I can’t speak for OpenAPI v3 as I haven’t spent any appreciable time using it.

I understand suddenly switching to defaulting to additionalProperties: true would break backwards compatibility, and or possibly the authors chose false as a default on purpose (after all it fits better with some situations), so might it be a configuration option instead? The solution proposed in ~~#208~~, to lower the severity of additionalProperties violations, is not entirely satisfactory; I still want to raise validation errors on invalid additionalProperties after all.

2019-07-26T09:40:24+00:00

Comments (3)

Fabrice Gabolde
I have come across this issue (and related others, e.g. https://bitbucket.org/atlassian/swagger-request-validator/issues/208/add-ability-to-ignore-extra-properties-of) while investigating why many of my responses failed validation even though they seemed fine.

It seems swagger-request-validator considers additionalProperties: false to be the default value when unspecified? But reading through the Swagger 2 spec here:

https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#schema-object

it refers to the JSON Schema spec for validation of additional properties, which in turn has this to say:

https://json-schema.org/latest/json-schema-validation.html#rfc.section.6.5.6

"Omitting this keyword has the same behavior as an empty schema." (which is also the behavior of additionalProperties: true, since true is a JSON Schema that always passes validation).

So it seems swagger-request-validator is doing the opposite of the intent of Swagger 2 here? I can’t speak for OpenAPI v3 as I haven’t spent any appreciable time using it.

I understand suddenly switching to defaulting to additionalProperties: true would break backwards compatibility, and or possibly the authors chose false as a default on purpose (after all it fits better with some situations), so might it be a configuration option instead? The solution proposed in ~~#208~~, to lower the severity of additionalProperties violations, is not entirely satisfactory; I still want to raise validation errors on invalid additionalProperties after all.
- 2019-07-26T09:40:24+00:00
James Navin reporter
Resolving this issue and moving discussion to #271
- 2020-07-22T23:44:53+00:00
James Navin reporter
- changed status to resolved
- 2020-07-22T23:44:59+00:00
Log in to comment