Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unexpected behavior with removeAdditional and minProperties #2376

Closed
Vladislao opened this issue Feb 6, 2024 · 3 comments
Closed

Unexpected behavior with removeAdditional and minProperties #2376

Vladislao opened this issue Feb 6, 2024 · 3 comments
Labels
bug report limitation wontfix

Comments

@Vladislao
Copy link

What version of Ajv are you using? Does the issue happen if you use the latest version?
ajv@8.12.0

Ajv options object

{
  removeAdditional: true
}

JSON Schema

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "additionalProperties": false,
  "minProperties": 1,
  "type": "object",
  "properties": {
    "good": {
      "type": "string"
    }
  },
  "required": []
}

Sample data

{ "bad": "will be removed" }

Your code

const Ajv = require("ajv");
const ajv = new Ajv(options);

const validate = ajv.compile(schema);

console.log(validate(data));
console.log(validate.errors);
console.log(data);

Working code sample:
https://runkit.com/vladislao/65c2a14a50acdd0009747ee5

Validation result, data AFTER validation, error messages

true
null
{}

What results did you expect?

The validation is expected to fail given the constraints of minProperties: 1 and additionalProperties: false. While it may be apparent in isolated examples that removing properties can lead to such behavior, the issue becomes less obvious when Ajv is used indirectly, such as in Fastify where Ajv is the default validation tool. This situation can easily lead to errors, allowing empty objects to slip through the validation process and potentially causing unexpected behavior and security issues in applications.

Related to fastify/fastify#5104
@Vladislao Vladislao changed the title Unexpected behavior with removeAdditional and minProperties in Ajv Unexpected behavior with removeAdditional and minProperties Feb 6, 2024
@Vladislao
Copy link
Author

Just to clarify: the combination of additionalProperties: false and removeAdditional: true effectively disables the minProperties constraint, since it will be a no-brainer to submit improper data to bypass the constraint.

@jasoniangreen
Copy link
Collaborator

jasoniangreen commented May 12, 2024
edited

Hi @Vladislao I have confirmed the behaviour you have highlighted, thanks for bringing it to our attention. It is a tough one because it all comes down to the order of evaluation of the various parts of this schema / options. Changing it could impact thousands of projects relying on the specific current order.

There is a way to control the order of execution by using the allOf keyword. You can see this example here where I have split the minProperties from the rest of the schema to ensure it is evaluate after the property is removed.

https://runkit.com/jasoniangreen/ajv-issue-2376

I will continue to think about it however to understand if something can be improved.

@jasoniangreen
Copy link
Collaborator

Given the risk of changing the order of execution I think this is a wontfix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug report limitation wontfix
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jasoniangreen @Vladislao