BaseModel body validation can be bypassed if List is passed with extra parameters

[TomaszBorczyk]

First Check

• I added a very descriptive title to this issue.
• I used the GitHub search to find a similar issue and didn't find it.
• I searched the FastAPI documentation, with the integrated search.
• I already searched in Google "How to X in FastAPI" and didn't find any information.
• I already read and followed all the tutorial in the docs and didn't find an answer.
• I already checked if it is not related to FastAPI but to Pydantic.
• I already checked if it is not related to FastAPI but to Swagger UI.
• I already checked if it is not related to FastAPI but to ReDoc.

Commit to Help

• I commit to help with one of those options 👆

Example Code

from fastapi import APIRouter, FastAPI
from pydantic import BaseModel
from starlette.responses import Response


class Model(BaseModel, extra='forbid'):
    id: str


router = APIRouter()


@router.post("/answer")
async def answer_the_question(data: Model) -> Response:
    pass


def create_app():
    app = FastAPI()
    app.include_router(router)

    return app

Description

Consider above code.
Endpoint /answer accepts data that should be of format {"id": str}
Save above code as main.py and run with uvicorn --factory main:create_app --port=8009 --reload

Responses from the following data are correct:
a) {"id": "mock_id"} - 200
b) {"id": "mock_id", "invalid": 123} - 422 (extra not permitted)
c) [{"id": "mock_id"}] - 422 (value is not a valid dict)

This is not correct behavior:
d) [{"id": "mock_id", "invalid": 123}] - 200 - this should be an invalid input data (same as in c))

Example curl POST request with invalid data that passes:

curl -i --location --request POST 'http://localhost:8009/answer' \
--header 'Content-Type: application/json' \
--data-raw '[{"id": "mock_id", "invalid": 123}]'

I tried to debug this and noticed that this line: https://github.com/tiangolo/fastapi/blob/0.88.0/fastapi/dependencies/utils.py#L696
does not return validation errors for d). I was not able to debug it deeper, as for some reason I could not break inside ModelField::validate method
Upon further inspection it turned out that ModelField is part of pydantic's private API (similar issue as here: #1275 (comment)), so technically it could be a problem on pydantic's side, but can also mean that Fastapi is misusing that private api (and it's none of pydantic's business)

Operating System

macOS

Operating System Details

No response

FastAPI Version

0.88.0

Python Version

3.10.8

Additional Context

No response

[pwango]

I met a similar problem, too. I post some info for frontend using react, antd and axios, but 422 code appeared before 200 code.

[YuriiMotov]

Works fine in current version