-
Notifications
You must be signed in to change notification settings - Fork 182
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Paths without a leading /
are silently accepted
#86
Comments
Per https://tools.ietf.org/html/rfc6901#section-3:
Per http://jsonpatch.com/#json-pointer:
In addition to incorrectly accepting "bogus/...", looking briefly at the testcases, it doesn't look like "" or "/" are handled properly either. Again, any changes should consider the behavior change impact on currently accepted patches |
Good catch! So because the current behavior is pretty weird and probably not useful, it's pretty safe to assume we won't be breaking compatibility by just rejecting paths that don't have a leading |
you underestimate how much people thrash to get a patch applying (c.f. kubernetes/kubernetes#81381 (comment)) :) |
Ooof. I guess it makes sense that they'd trash around and find out you can put garbage on the beginning. I don't want to make life harder for package users, but do want to just fix this obvious bug. I'm open to all options, including a configuration flag to configure the proper behavior so folks can opt in safely. For kubernetes, if you want to retain the current, buggy behavior, either you could use a version of jsonpatch that allows for configuration of this new, proper behavior. Or we could make it a hard error and you could detect and prepend I'm really open to all options here. |
I looked really hard for examples of mistaken patches like Tests should probably also be added for these special cases as well (which are valid and should not error):
|
Totally agree. I'll get this coded up into a PR for you to review shortly. |
Thanks, sounds good |
Azure AD will send
(without the leading How can we support this case, which seems to contradict what's expected from Kubernetes API? |
That's not a valid patch path, is it? |
@liggitt after reading and learning more about the RFC6902 it definitely looks like the case. I don't think I have an alternative on Azure side of things though. It looks very odd to me that they're sending wrong requests that do not respect the standard... I'll keep researching for alternatives 😢 |
Yeah, it's definitely invalid. The path is a jsonpointer, which is defined as "zero or more segments each prefixed with /" |
I've run into this too.. particularly the rejection of Any progress on this? |
Same -- |
Dropped the ball on this one, need to get back to it. |
That assumption is breaking valid JSONPatches #142 |
Would it make sense to create a new version clearly stating the breaking compatibility change? |
So, do we agree that paths like If #134 is implemented first, this validation could be be as simple as using a custom type for |
I guess I really dropped the ball on this, gonna leave the current behavior. |
The JSONPatch library splits the path by / and discards the first segment, assuming it is empty:
json-patch/patch.go
Lines 338 to 344 in cb8f3b5
This means that an operation with a patch like
bogus/path/to/item
will successfully apply to/path/to/item
Seen in kubernetes/kubernetes#81422
Before fixing this, we should consider the compatibility implications of rejecting patches that were previously accepted.
The text was updated successfully, but these errors were encountered: