Required, empty fields are mistakenly validated as missing but might be valid
An required, empty string parameter will result in "validation.request.parameter.missing". This is wrong because the parameter is available and therefore not missing.
If a string shall not be empty a pattern or a minLength shall be set in the Swagger definition.
The same goes for an empty array. If an array is required but empty this parameter is not missing. If an array shall not be empty the minItems shall be set in the Swagger definition.
A related problem is a required but empty number-string. The parameter is available and not missing. A more appropriate message key could be possible. "validation.request.parameter.empty" or "validation.request.parameter.invalidFormat" - as an empty string does not contain any parsable number.
The same goes for empty values which should be mapped to an enum. The parameter is available and not missing. A more appropriate message key could be possible. "validation.request.parameter.empty" or "validation.request.parameter.enum.invalid" - as an empty string can not match against any enum value.
Comments (5)
-
-
- changed status to open
-
Addressed most of this in https://bitbucket.org/atlassian/swagger-request-validator/pull-requests/176 (available in v2.10.3).
This PR adds support for
allowEmptyValues
for String params, and fixes the behavior for empty arrays.In the end I elected to keep
validation.request.parameter.missing
for empty required non-String params rather than returning anvalidation.request.parameter.invalidFormat
error as in my opinion it better represents the likely problem.Work remaining:
- Add a new error for empty required non-String params that clarifies that the param has been supplied with an empty string
In looking at this issue I uncovered a regression in the handling of array params - raised as
#290.
-
I’m still facing the exception “
validation.request.parameter.missing”
when “required” =true and “allowEmptyValues = true” for String params.I observed this is happening in the below code in RequestValidator.java@417 prior to ParameterValidator.java where the check has been made for “allowEmptyValues”
if (parameterValues.isEmpty() && TRUE.equals(parameter.getRequired())) { return ValidationReport.singleton( messages.get(missingKey, parameter.getName(), apiOperation.getApiPath().original()) ).withAdditionalContext(context); }
-
Can you attach an example API spec and request that generates the problem?
The piece of code you have highlighted is checking that there are any values for the given parameter name. For an “empty” param you would get a list with a single value with an empty string, which would pass this check and proceed to the parameter validation step.
- Log in to comment
Re string/number values etc. - according to the spec empty values are only allowed for required parameters if
allowEmptyValue
istrue
(see https://swagger.io/specification/#parameterObject). I think its valid to emit the missing parameter message in those cases, but I can definitely see a case for a more specific message - e.g. "Param X is marked as required and has been specified but has no value".I think your suggestion of
validation.request.parameter.empty
in this scenario makes a lot of sense.The empty array case is definitely a bug - re-reading the spec https://tools.ietf.org/html/draft-fge-json-schema-validation-00#section-5.3.3 the default value for minItems is 0, which means that an empty array is indeed not missing and shouldnt be reported as such.