v0.10.0: Strict Mode #211
Merged
v0.10.0: Strict Mode #211
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
provides a new ‘strict mode’ engine for the validator. This is a community requested feature that will scan for undisclosed properties (noise vs signal). Anything that is submitted in a schema that is not explicitly defined (regardless of additionalProperties) will be reported.
When a security requirement has multiple schemes (AND logic), the old code would return true immediately when ANY single scheme passed, ignoring the others. This was wrong - ALL schemes in an AND requirement must pass. Refactored ValidateSecurityWithPathItem to: 1. For each security requirement (OR'd): check ALL schemes within it (AND'd) 2. Only pass if an entire requirement (all its schemes) passes 3. Try next requirement if current one fails This also fixed incorrect behavior where specs with security alternatives like api_key OR oauth2 would fail even when OAuth2 (unvalidated, so considered "passed") should satisfy the requirement. Tests and examples were updated to reflect correct behavior.
Path matching is now handled correctly.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #211 +/- ##
==========================================
+ Coverage 97.10% 97.55% +0.44%
==========================================
Files 45 56 +11
Lines 4048 5122 +1074
==========================================
+ Hits 3931 4997 +1066
- Misses 117 125 +8
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR introduces "Strict Mode," an optional validation feature that detects undeclared properties in API requests and responses, even when additionalProperties: true would normally allow them. This enables stronger API governance by ensuring clients only send properties explicitly documented in the OpenAPI specification.
Key Changes:
- New
strictpackage with comprehensive validation logic for bodies, headers, query parameters, and cookies - Support for polymorphic schemas (oneOf/anyOf/allOf) with per-branch validation
- Configurable ignore patterns using glob syntax (e.g.,
$.body.metadata.*) - Respects readOnly/writeOnly semantics based on request vs response direction
Reviewed changes
Copilot reviewed 44 out of 45 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| validator.go | Added deterministic error sorting, updated copyright header |
| validator_test.go | Added strict mode integration tests, updated copyright |
| validator_examples_test.go | Updated examples to reflect security validation changes |
| strict/validator.go | Core validation entry points for bodies, headers, query params, cookies |
| strict/validator_test.go | Comprehensive 6000+ line test suite covering all scenarios |
| strict/types.go | Type definitions, Direction enum, traversal context with cycle detection |
| strict/utils.go | Path building utilities and glob pattern compilation |
| strict/schema_walker.go | Schema traversal with additionalProperties handling |
| strict/property_collector.go | Property collection from schemas including dependent schemas |
| strict/polymorphic.go | Complex handling for allOf/oneOf/anyOf validation |
| strict/matcher.go | Schema matching for variant selection with caching |
| strict/headers.go | Header validation with default ignore lists |
| strict/array_validator.go | Array validation with prefixItems and unevaluatedItems |
| requests/validate_request.go | Integration of strict validation into request pipeline |
| responses/validate_response.go | Integration of strict validation into response pipeline |
| responses/validate_headers.go | Header validation integration with strict mode |
| responses/validate_body_test.go | Tests for strict mode in response validation |
| requests/validate_body_test.go | Tests for strict mode in request validation |
| paths/specificity.go | New path specificity scoring for better path matching |
| openapi_vocabulary/vocabulary.go | Added Version32 constant |
The implementation is thorough, well-tested, and follows good software engineering practices with proper cycle detection, caching, and error handling. No critical issues identified.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Strict mode is an optional validation feature that detects undeclared properties in API requests and responses, even when the OpenAPI schema would normally allow them via
additionalProperties: true.In standard JSON Schema validation, setting
additionalProperties: true(or omitting it entirely) permits any extra properties beyond those explicitly defined.Strict mode overrides this permissive behavior to enforce API governance, ensuring that clients only send properties explicitly documented in the OpenAPI specification.
It supports configurable ignore patterns (using glob syntax like
$.body.metadata.*) to exclude specific paths, and has sensible defaults for common HTTP headers that are typically not documented in specs.Strict mode respects
readOnlyandwriteOnlysemantics based on whether validation is for a request or response.https://pb33f.io/libopenapi/validation/#strict-mode-validation