Search code examples
amazon-web-servicesaws-api-gatewayjsonschemaopenapiswagger-2.0

AWS API Gateway (REST) - Request Validation passes even when there is unknown property

I have an API gateway with the following schema:

 {
  "swagger": "2.0",
  "info": {
    "description": "This is a sample server Petstore server.  You can find out more about     Swagger at [http://swagger.io](http://swagger.io) or on [irc.freenode.net, #swagger](http://swagger.io/irc/).      For this sample, you can use the api key `special-key` to test the authorization     filters.",
    "version": "1.0.0",
    "title": "Swagger Petstore",
    "termsOfService": "http://swagger.io/terms/",
    "contact": {
      "email": "[email protected]"
    },
    "license": {
      "name": "Apache 2.0",
      "url": "http://www.apache.org/licenses/LICENSE-2.0.html"
    }
  },
  "paths": {
    "/pet": {
      "post": {
        "summary": "Add a new pet to the store",
        "description": "",
        "operationId": "addPet",
        "consumes": [
          "application/json",
          "application/xml"
        ],
        "produces": [
          "application/xml",
          "application/json"
        ],
        "parameters": [
          {
            "in": "body",
            "name": "body",
            "description": "Pet object that needs to be added to the store",
            "required": true,
            "schema": {
              "$ref": "#/definitions/Pet"
            }
          }
        ],
        "responses": {
          "405": {
            "description": "Invalid input"
          }
        }}
}},
  "definitions": {
    "Pet": {
      "required": ["id", "name"],
      "type": "object",
      "properties": {
        "id": {
          "type": "integer",
          "description": "Id of the pet",
          "example": 123
        },
        "name": {
          "type": "string",
          "description": "Name of the pet",
          "example": "Jammy"
        },
        "nickname": {
          "type": "string",
          "description": "Nickname of the pet",
          "example": "Jam"
        }
      }
    }
    
  }
}

When I send a request body with fields which are not present in the schema, I don't get 400 response from API gateway. I have applied the configuration to Validate body, headers, query string.

Is this an open issue in API gateway? Or am I missing something?

Solution

  • So with swagger v2 and openapiv3 specs the default behavior is to accept all additional properties that your spec does not define. If you include the required pet id and name and additional unused propertues like foo and bar, you post should succeed.

    If you want more strict validation that fails when additional properties are sent then set additionalProperties to false in your pet schema or do that and change the spec version to 3.x.x