search

apigee-127 / swagger-tools

A Node.js and browser module that provides tooling around Swagger.
MIT License
701 stars 373 forks source link

Bug in Validating Request MIME Type #551

Closed bricka closed 6 years ago

bricka commented 6 years ago

Hello! I have just found a bug in the way that swagger-tools validates request headers.

Specifically, I have this API:

    put:
      summary: Update the content of a file
      operationId: setFileContent
      consumes:
        - application/octet-stream
      parameters:
      ...

However, when I call this with application/json, Swagger Validator is not rejecting the request. This is because I also define a global consumes:

basePath: '/'
consumes:
  - application/json

According to the Swagger 2.0 specification, consumes defined on an operation overwrites, and does not extend, the consumes:

https://swagger.io/docs/specification/2-0/mime-types/

When used on the operation level, consumes and produces override (not extend) the global definitions. In the following example, the GET /logo operation redefines the produces array to return an image:

Swagger 1.2 also defines it this way: https://github.com/OAI/OpenAPI-Specification/blob/master/versions/1.2.md

A list of MIME types this operation can consume. This is overrides the global consumes definition at the root of the API Declaration. Each string value SHOULD represent a MIME type.

I believe that this is the code with the wrong behavior: https://github.com/apigee-127/swagger-tools/blob/0cea535b122265c6d01546e199e2e8fda4c0f5da/lib/validators.js#L217-L219

Because it unions the two sets of consumes instead of overwriting them.

Unfortunately, changing this would be a breaking change to swagger-tools, so this fix would need to be performed as a new major version.

bricka commented 6 years ago

Duplicate of https://github.com/apigee-127/swagger-tools/issues/481