validation of string format uri wrongly fails with relative pathes

ahx / openapi_first

openapi_first is a Ruby gem for request / response validation and contract-testing against an OpenAPI API description. It makes APIFirst easy and reliable.

MIT License

97 stars 12 forks source link

validation of string format uri wrongly fails with relative pathes #244

Closed neongrau closed 4 months ago

neongrau commented 4 months ago

Just ran across some new issue during response validation

Response body is invalid: value at /data/attributes/image does not match format: uri

According to OpenAPI https://spec.openapis.org/registry/format/uri they refer to https://www.rfc-editor.org/rfc/rfc3986.html which allow relative pathes.

Same stated explicitly at https://swagger.io/specification/

Or am i misinterpreting something?

ahx commented 4 months ago

I think you are looking for uri-reference not uri https://json-schema.org/understanding-json-schema/reference/string

neongrau commented 4 months ago

Not really. The field usually refers to an S3 URL. But if not set, it defaults to a local placeholder. I could change to an absolute URL though OpenAPI says the local relative URL is good.

ahx commented 4 months ago

I think you are are right. I have tried two (1, 2) other schema validation libraries and they indeed seem to behave differently from json_schemer in this case.

irb(main):004> JSONSchemer.schema({'type' => 'string', 'format' => 'uri' }, meta_schema: 'https://spec.openapis.org/oas/3.1/dialect/base').valid?('/data/foo/bar')
=> false

irb(main):006> JSONSchemer.schema({'type' => 'string', 'format' => 'uri-reference' }, meta_schema: 'https://spec.openapis.org/oas/3.1/dialect/base').valid?('/data/foo/bar')
=> true

I am not json_schemer is wrong here, though since this section of the JSON Schema spec does not really clarify things for me.

neongrau commented 4 months ago

Hmm odd, but i think ChatGPT summed it up nicely:

URI (format: uri): The uri format specifies that a string attribute represents a Uniform Resource Identifier (URI). However, it doesn't specify whether relative paths are allowed or not. It's up to the interpretation of the attribute's value and the context in which it's used. In practice, many implementations of OpenAPI treat uri as a broad category that includes both absolute and relative URIs, but this isn't strictly enforced by the specification.

URI-Reference (format: uri-reference): The uri-reference format specifically allows URI references, which can include both absolute and relative URIs, as well as fragment identifiers. This format is suitable when you want to allow a broader range of URI-like values, including relative paths, in your attribute.

Well going to switch everything to uri-reference to be safe then.

neongrau commented 4 months ago

Just ran across this https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#relative-references-in-urls