New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: explicity set additionalProperties to false if set to true and … #38
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this makes sense.
I can't think of any unintended side effects of this, with the notable exception being that any customer that currently has this enabled will potentially have their contracts break.
This is a manageable thing though, and we can release comms/update docs as needed.
Looks ok to me. Only thing is, the files in |
Hmmm. yeah I did think that, but thought that wasn't the yak to be shaving right now. I would also agree that the dist folder isn't relevant in here, we distribute as an npm package that can be executed easily with |
5bfe608
to
82f2a3b
Compare
even if set to true in OAS unless --additionalPropertiesInResponse true
There is one final case that’s not currently considered in the release above - where additionalProperties is set to an schema. For example, given this definition: Pet:
type: object
required:
- name
- photoUrls
additionalProperties:
type: string
properties:
id:
type: integer
format: int64
category:
$ref: '#/definitions/Category'
name:
type: string
example: doggie this body would be allowed: "body": {
"someField": "some string"
} this body would not ( "body": {
"someField": "some string",
"foo": 1
} Clearly, in some cases, this behaviour could lead to dangerous outcomes. In other cases, it could make complete sense - for example, an API that responds with dynamic keys. This scenario is hard to police, because you can also put in a strict subschema that specifies specifically what fields are and are not allowed. So for now, I think it’s the right decision to leave this as is, but I wanted to document it against the issue so we have a trace of it. |
I've created an example project that shows how to effectively allow |
…opts.additionalPropertiesInResponse is false
cc @vwong / @mefellows
output
This doesn't fail, against the master build. The https://petstore.swagger.io/v2/swagger.json has been downloaded and modified, to explicitly add
additionalProperties: true
in thePet
schema