Various utilities for JSON Pointers (http://tools.ietf.org/html/rfc6901) and JSON References (http://tools.ietf.org/html/draft-pbryan-zyp-json-ref-03).
MIT License
223
stars
63
forks
source link
JsonRefs.resolveRefs fails to dereference some URI encoded fragments #186
Expected behaviorJsonRefs.resolveRefs should correctly dereference strict RFC-3986 encoded URI fragments.
Actual behavior
URI fragments containing reserved gen-delims and sub-delims RFC-3986 gen-delims characters do not seem to dereference correctly. The behavior is inconsistent, in some cases, a URI with a percent-encoded gen-delim will resolve (e.g. [), but another gen-delim (e.g. '@'), it will not. Similarly, for sub-delims, ( will resolve, but ! will not.
Whether or not the fragment should or should not be encoded in the first place is potentially arguable. I recall somewhere that Swagger requires strict RFC-3986 encoding. The issue is that some percent encoded characters are not being decoded when resolving the reference.
Steps to reproduce
Note that example1 demonstrates the issue, and that example2 just tries to get a sense of the restricted characters.
{
schema1: { '$ref': '#/definitions/%40other' },
schema2: { type: 'string' }
}
delim: ':' (%3A) gen-delim is resolved OK: false
delim: '/' (%2F) gen-delim is resolved OK: false
delim: '?' (%3F) gen-delim is resolved OK: false
delim: '#' (%23) gen-delim is resolved OK: false
delim: '@' (%40) gen-delim is resolved OK: false
delim: '$' (%24) sub-delim is resolved OK: false
delim: '&' (%26) sub-delim is resolved OK: false
delim: '+' (%2B) sub-delim is resolved OK: false
delim: ',' (%2C) sub-delim is resolved OK: false
delim: ';' (%3B) sub-delim is resolved OK: false
delim: '=' (%3D) sub-delim is resolved OK: false
delim: '[' (%5B) gen-delim is resolved OK: true
delim: ']' (%5D) gen-delim is resolved OK: true
delim: '!' (%21) sub-delim is resolved OK: true
delim: ''' (%27) sub-delim is resolved OK: true
delim: '(' (%28) sub-delim is resolved OK: true
delim: ')' (%29) sub-delim is resolved OK: true
delim: '*' (%2a) sub-delim is resolved OK: true
Comments
Digging around a bit, it appears uri-js does not always fully decode fragments (fair enough, it's a parser), so a fragment needs to be decoded if it's going to be used for dereferencing. However, parts of the library seem to use decodeURI on fragments instead of decodeURIComponent as I would expect. This looks suspicious too.
Expected behavior
JsonRefs.resolveRefsshould correctly dereference strict RFC-3986 encoded URI fragments.Actual behavior URI fragments containing reserved gen-delims and sub-delims RFC-3986 gen-delims characters do not seem to dereference correctly. The behavior is inconsistent, in some cases, a URI with a percent-encoded gen-delim will resolve (e.g.
[), but another gen-delim (e.g. '@'), it will not. Similarly, for sub-delims,(will resolve, but!will not.Whether or not the fragment should or should not be encoded in the first place is potentially arguable. I recall somewhere that Swagger requires strict RFC-3986 encoding. The issue is that some percent encoded characters are not being decoded when resolving the reference.
Steps to reproduce
Note that
example1demonstrates the issue, and thatexample2just tries to get a sense of the restricted characters.Outputs:
Comments Digging around a bit, it appears
uri-jsdoes not always fully decode fragments (fair enough, it's a parser), so a fragment needs to be decoded if it's going to be used for dereferencing. However, parts of the library seem to use decodeURI on fragments instead of decodeURIComponent as I would expect. This looks suspicious too.For example:
Whereas: