-
Notifications
You must be signed in to change notification settings - Fork 8.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenAPI 3.0: no validation for request body parameters in try it out #9673
Comments
It looks to me like we don't validate parameters at all for When checking for required fields, we skip the JSON validation: swagger-ui/src/core/plugins/oas3/selectors.js Lines 270 to 272 in 834fe0a
If the request content type is set to application/x-www-form-urlencoded , the validation of required parameters is being done, although it looks to me like it might be missing for arrays. There's also no validation of types. In the screenshot, id is a string instead of integer and the photoUrls array is empty but there's no error. The required name is correctly shown as missing.
![]() Here's the result of execution with correctly added ![]() It looks like the only validation for ![]() |
There is also an issue with OpenAPI 2.0 - we don't validate required parameters in bodies but we do validate their types. It seems that the issue lies here: Lines 488 to 494 in 1ce9ce0
We should be using For OpenAPI 3.0, it looks like here
we're not getting the parameters for request body because, from looking at the OAS3 reducers, ex. here
we're setting them in a different path that isn't being checked when we get the params. We have a method that should be validating request body separately
but it looks like we don't check the types of values there at all and, as mentioned before:
|
Again, I remain unconvinced that the client should be validating the input, it should be down to the server to validate what is being sent. There are good reasons why you may want to send invalid payloads from the client. |
Describe the bug you're encountering
Swagger UI does not show validation errors on try it out for object parameters in OpenAPI 3.0 specifications.
To reproduce...
Steps to reproduce the behavior:
/store/order
POST requestid
totest
Expected behavior
Swagger UI should validate incorrect input and show validation errors to the user. The errors will show for 2.0 specifications and for primitive parameters in 3.0:
The text was updated successfully, but these errors were encountered: