You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Validation result, data AFTER validation, error messages
true
null
{}
What results did you expect?
The validation is expected to fail given the constraints of minProperties: 1 and additionalProperties: false. While it may be apparent in isolated examples that removing properties can lead to such behavior, the issue becomes less obvious when Ajv is used indirectly, such as in Fastify where Ajv is the default validation tool. This situation can easily lead to errors, allowing empty objects to slip through the validation process and potentially causing unexpected behavior and security issues in applications.
Vladislao
changed the title
Unexpected behavior with removeAdditional and minProperties in Ajv
Unexpected behavior with removeAdditional and minProperties
Feb 6, 2024
Just to clarify: the combination of additionalProperties: false and removeAdditional: true effectively disables the minProperties constraint, since it will be a no-brainer to submit improper data to bypass the constraint.
Hi @Vladislao I have confirmed the behaviour you have highlighted, thanks for bringing it to our attention. It is a tough one because it all comes down to the order of evaluation of the various parts of this schema / options. Changing it could impact thousands of projects relying on the specific current order.
There is a way to control the order of execution by using the allOf keyword. You can see this example here where I have split the minProperties from the rest of the schema to ensure it is evaluate after the property is removed.
What version of Ajv are you using? Does the issue happen if you use the latest version?
ajv@8.12.0
Ajv options object
JSON Schema
Sample data
Your code
Working code sample:
https://runkit.com/vladislao/65c2a14a50acdd0009747ee5
Validation result, data AFTER validation, error messages
What results did you expect?
The validation is expected to fail given the constraints of minProperties: 1 and additionalProperties: false. While it may be apparent in isolated examples that removing properties can lead to such behavior, the issue becomes less obvious when Ajv is used indirectly, such as in Fastify where Ajv is the default validation tool. This situation can easily lead to errors, allowing empty objects to slip through the validation process and potentially causing unexpected behavior and security issues in applications.
Related to fastify/fastify#5104
The text was updated successfully, but these errors were encountered: