Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

json-schema-secure.json fails strict type validation in v7 #1373

Closed
aarongoldenthal opened this issue Dec 29, 2020 · 5 comments
Closed

json-schema-secure.json fails strict type validation in v7 #1373

aarongoldenthal opened this issue Dec 29, 2020 · 5 comments
Labels
docs enhancement

Comments

@aarongoldenthal
Copy link

What version of Ajv are you using? Does the issue happen if you use the latest version?

v7.0.2

JSON Schema

The schema in /lib/refs/json-schema-secure.json fails strict type validation in v7 and return the following errors when running a security check as documented at https://github.com/ajv-validator/ajv/blob/master/docs/security.md#security-risks-of-trusted-schemas:

strict mode: missing type "object" for keyword "dependencies" at "https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/json-schema-secure.json#" (strictTypes)
strict mode: missing type "object" for keyword "properties" at "https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/json-schema-secure.json#" (strictTypes)
strict mode: missing type "object" for keyword "required" at "https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/json-schema-secure.json#/dependencies/patternProperties" (strictTypes)
strict mode: missing type "object" for keyword "properties" at "https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/json-schema-secure.json#/dependencies/patternProperties" (strictTypes)
strict mode: missing type "object" for keyword "required" at "https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/json-schema-secure.json#/dependencies/patternProperties/properties/propertyNames" (strictTypes)
strict mode: missing type "object" for keyword "properties" at "https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/json-schema-secure.json#/dependencies/uniqueItems/if" (strictTypes)
strict mode: missing type "object" for keyword "properties" at "https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/json-schema-secure.json#/dependencies/uniqueItems/if/properties/items" (strictTypes)
strict mode: missing type "object" for keyword "required" at "https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/json-schema-secure.json#/dependencies/uniqueItems/then" (strictTypes)
strict mode: missing type "object" for keyword "required" at "https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/json-schema-secure.json#/dependencies/pattern" (strictTypes)
strict mode: missing type "object" for keyword "required" at "https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/json-schema-secure.json#/dependencies/format" (strictTypes)
strict mode: missing type "object" for keyword "additionalProperties" at "https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/json-schema-secure.json#/properties/dependencies" (strictTypes)
strict mode: missing type "object" for keyword "additionalProperties" at "https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/json-schema-secure.json#/properties/definitions" (strictTypes)
strict mode: missing type "object" for keyword "additionalProperties" at "https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/json-schema-secure.json#/properties/patternProperties" (strictTypes)
strict mode: missing type "object" for keyword "additionalProperties" at "https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/json-schema-secure.json#/properties/properties" (strictTypes)

This can be worked around by using strictTypes: false.
@epoberezkin
Copy link
Member

Thank you! This schema needs to be updated to be compatible with the strict mode. For now - you need to disable strict mode (with {strict: false}) to use it.

@epoberezkin
Copy link
Member

or maybe even {strictTypes: false} would be sufficient to suppress these warnings

@epoberezkin
Copy link
Member

epoberezkin commented Jan 2, 2021
edited
Loading

Actually, this schema should be used with strictTypes: false, there is nothing that needs to be changed other than maybe the note in the docs (added). The reason for that is that a schema can be a boolean value.

Also, for draft-2019-09 a more concise version of this schema can be created using recursive references, that would also validate schema against draft-2019-09 meta-schema.

epoberezkin added a commit that referenced this issue Jan 2, 2021
@epoberezkin
docs: add option to the example using json-schema-secure schema (#1373)
9200e92
@aarongoldenthal
Copy link
Author

Thanks for the clarification @epoberezkin

@dependabot dependabot bot mentioned this issue Mar 6, 2021
Closed
@dalcib dalcib mentioned this issue Apr 11, 2021
Merged
@ssbarnea ssbarnea mentioned this issue Apr 30, 2021
Closed
@belemaire belemaire mentioned this issue Jun 14, 2021
Merged
andriyl pushed a commit to Redocly/ajv that referenced this issue Jun 16, 2021
@epoberezkin @andriyl
docs: add option to the example using json-schema-secure schema (ajv-…
5565759 
…validator#1373)
@javierguzman
Copy link

strict: false

Hello @epoberezkin , is there a page or source where I could take a look at how to update "an old schema" to the new way of doing things (strict mode)? I did not update my project for a while and now I have update ajv I am getting a ton of errors like the one reported here.

Thank you in advance and regards

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs enhancement
Milestone
No milestone
Development

No branches or pull requests
3 participants
@javierguzman @epoberezkin @aarongoldenthal