Falsely validating against schema with `oneOf` key

danascheider commented 8 years ago

Summary

The validator is saying a response body matches a schema when it actually doesn't. The schema contains a oneOf key with refs and additionalProperties set to false.

Current Behavior

The response body is falsely passing the validation. This is the schema:

{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "description": "Property address",
  "type": "object",
  "required": ["street1", "city", "state", "zip", "county"],
  "oneOf": [
    { "$ref": "#/definitions/californiaAddress" },
    { "$ref": "#/definitions/floridaAddress" }
  ],
  "additionalProperties": false,
  "definitions": {
    "californiaAddress": {
      "required": [ "street1", "city", "state", "zip", "county" ],
      "properties": {
        "street1": { "type": "string" },
        "street2": { "type": "string" },
        "city": { "type": "string" },
        "state": {
          "type": "string",
          "enum": [ "CA" ]
        },
        "zip": {
          "type": "string",
          "pattern": "/\\d{5}(\\-\\d{4})?/"
        },
        "county": {
          "type": "string",
          "enum": [
            "alameda", "alpine", "amador",
            "butte",
            "calaveras", "colusa", "contra_costa",
            "del_norte",
            "el_dorado",
            "fresno",
            "glenn",
            "humboldt",
            "imperial", "inyo",
            "kern", "kings",
            "lake", "lassen", "los_angeles",
            "madera", "marin", "mariposa", "mendocino", "merced", "modoc", "mono", "monterey",
            "napa", "nevada",
            "orange",
            "placer", "plumas",
            "riverside",
            "sacramento", "san_benito", "san_bernardino", "san_diego", "san_francisco", "san_joaquin",
            "san_luis_obispo", "san_mateo", "santa_barbara", "santa_clara", "santa_cruz", "shasta",
            "sierra", "siskiyou", "solano", "sonoma", "stanislaus", "sutter",
            "tahama", "toulomne", "trinity", "tulare",
            "ventura",
            "yolo", "yuba"
          ]
        }
      },
      "additionalProperties": false
    },
    "floridaAddress": {
      "required": [ "street1", "city", "state", "zip", "county" ],
      "properties": {
        "street1": { "type": "string" },
        "street2": { "type": "string" },
        "city": { "type": "string" },
        "state": {
          "type": "string",
          "enum": [ "FL" ]
        },
        "zip": {
          "type": "string",
          "pattern": "/\\d{5}(\\-\\d{4})?/"
        },
        "county": {
          "type": "string",
          "enum": [
            "broward",
            "escambia",
            "indian_river",
            "martin",
            "palm_beach",
            "pasco",
            "pinellas"
          ]
        }
      },
      "additionalProperties": false
    }
  }
}

The response I'm getting is:

{
  "message": "Must provide API token"
}

Expected Behavior

The response body above should not pass validation against the given schema.

Additional Details

The schema specifies an object that must satisfy one of two given schemas
Both the main schema and the two possible oneOf schemas have additionalProperties set to false
The two oneOf schemas both specify required properties that are not present in the actual body
Setting required on the main schema (since the two possible schemas have the same keys) does not change the behavior
Setting "additionalProperties": false on just the main schema or just the oneOf schemas does not change the behavior

RST-J commented 8 years ago

Can you provide example data which is falsely validated against this schema?

danascheider commented 8 years ago

I actually can't, the code that I was having this problem with is in my former employer's private repo. Sorry about that.

RST-J commented 8 years ago

No problem, maybe we can reconstruct an example. If its just because of the data I see a fair chance. But if it depends on a certain combination of flags, well then possibly not (I rather suspect that though, otherwise there probably would have been issue(s) already).

Can you remember anything about the properties of wrongly accepted data? Where there any additional properties which have been accepted although they shouldn't or was it the other way around that data with missing required attributes got accepted?

danascheider commented 8 years ago

Let me see what I can come up with, I have some work to get done but I can take a look at it later today.

voxpupuli / json-schema