1. Atlassian Avatar Atlassian
  2. Tooling and Automation
  3. swagger-request-validator
  4. Issues

Required, empty fields are mistakenly validated as missing but might be valid

Issue #61 open
Sven Döring created an issue

An required, empty string parameter will result in "validation.request.parameter.missing". This is wrong because the parameter is available and therefore not missing.

If a string shall not be empty a pattern or a minLength shall be set in the Swagger definition.

The same goes for an empty array. If an array is required but empty this parameter is not missing. If an array shall not be empty the minItems shall be set in the Swagger definition.

A related problem is a required but empty number-string. The parameter is available and not missing. A more appropriate message key could be possible. "validation.request.parameter.empty" or "validation.request.parameter.invalidFormat" - as an empty string does not contain any parsable number.

The same goes for empty values which should be mapped to an enum. The parameter is available and not missing. A more appropriate message key could be possible. "validation.request.parameter.empty" or "validation.request.parameter.enum.invalid" - as an empty string can not match against any enum value.

Comments (5)

  1. James Navin

    Re string/number values etc. - according to the spec empty values are only allowed for required parameters if allowEmptyValue is true (see https://swagger.io/specification/#parameterObject). I think its valid to emit the missing parameter message in those cases, but I can definitely see a case for a more specific message - e.g. "Param X is marked as required and has been specified but has no value".

    I think your suggestion of validation.request.parameter.empty in this scenario makes a lot of sense.

    The empty array case is definitely a bug - re-reading the spec https://tools.ietf.org/html/draft-fge-json-schema-validation-00#section-5.3.3 the default value for minItems is 0, which means that an empty array is indeed not missing and shouldnt be reported as such.

  3. James Navin

    Addressed most of this in https://bitbucket.org/atlassian/swagger-request-validator/pull-requests/176 (available in v2.10.3).

    This PR adds support for allowEmptyValues for String params, and fixes the behavior for empty arrays.

    In the end I elected to keep validation.request.parameter.missing for empty required non-String params rather than returning an validation.request.parameter.invalidFormat error as in my opinion it better represents the likely problem.

    Work remaining:

    • Add a new error for empty required non-String params that clarifies that the param has been supplied with an empty string

    In looking at this issue I uncovered a regression in the handling of array params - raised as #290.

  4. Sirisha Goka

    I’m still facing the exception “validation.request.parameter.missing” when “required” =true and “allowEmptyValues = true” for String params.

    I observed this is happening in the below code in RequestValidator.java@417 prior to ParameterValidator.java where the check has been made for “allowEmptyValues”

        if (parameterValues.isEmpty() && TRUE.equals(parameter.getRequired())) {
        return ValidationReport.singleton(
                messages.get(missingKey, parameter.getName(), apiOperation.getApiPath().original())
        ).withAdditionalContext(context);
    }

  5. James Navin

    Can you attach an example API spec and request that generates the problem?

    The piece of code you have highlighted is checking that there are any values for the given parameter name. For an “empty” param you would get a list with a single value with an empty string, which would pass this check and proceed to the parameter validation step.

  6. Log in to comment
Assignee
Type
bug
Priority
major
Status
open
Votes
1
Watchers
3