Skip to content

Treat the absence of additionalProperties similarly to false. #1528

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 31, 2025
Merged

Treat the absence of additionalProperties similarly to false. #1528

merged 1 commit into from
Jul 31, 2025

Conversation

@ubik2
Copy link
Contributor

@ubik2 ubik2 commented Jul 31, 2025
edited by cubic-dev-ai bot
Loading

JSONSchema defaults this to true, but we want an intermediate behavior where if it's missing, we don't traverse the property, but we also don't reject the object as invalid.

The {} value is still treated as a true schema, and will traverse the property values.

Summary by cubic

Changed how missing additionalProperties in JSONSchema is handled. Now, if additionalProperties is not set, we skip traversing unknown properties but do not mark the object as invalid.

  • Bug Fixes
    • Updated schema traversal logic to treat absent additionalProperties as "do not traverse" instead of defaulting to true.
    • Added tests to cover this behavior.

@ubik2
Treat the absense of additionlProperties similarly to false.
8878c1b 
JSONSchema defaults this to true, but we want an intermediate behavior where if it's missing, we don't traverse the property, but we also don't reject the object as invalid.
@ubik2 ubik2 requested a review from seefeldb July 31, 2025 00:22
seefeldb
seefeldb approved these changes Jul 31, 2025
View reviewed changes
packages/runner/src/traverse.ts
// don't invalidate the object, but also don't descend down
// into that property.
if (propSchema === undefined) {
filteredObj[propKey] = propValue;
Copy link
Contributor

@seefeldb seefeldb Jul 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we even assign it? It shouldn't be sent to an untrusted function (i.e. CFC will base it's decision on the assumption it isn't sent)

Copy link
Contributor Author

@ubik2 ubik2 Jul 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the current use cases, this lets you have a required property that's in the additionalProperties.
The returned object isn't actually used right now, so it's not a CFC issue (we will return the entire doc for each doc we use). If we do want to prevent it from being included, we can also specify additionalProperties false.

However, when evaluating this to determine whether we can access a field, it might be best to prevent reads/writes. I'll keep this in mind when I tackle that.

@ubik2 ubik2 merged commit e8d2d64 into main Jul 31, 2025
8 checks passed
@ubik2 ubik2 deleted the feat/additional-properties-ignore branch July 31, 2025 03:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@seefeldb seefeldb seefeldb approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ubik2 @seefeldb