Skip to content

Response validation panic when body uses array circular reference field #103

@vanntile

Description

@vanntile

I consistently get a panic in a production use case. Here is a minimal reproduction:

package main

import (
	"fmt"
	"io"
	"net/http"
	"net/url"
	"strings"

	"github.com/pb33f/libopenapi"
	validator "github.com/pb33f/libopenapi-validator"
)

func main() {
	spec := `openapi: 3.1.0
info:
  title: Panic at response validation
  version: 1.0.0
paths:
  /operations:
    delete:
      description: Delete operations
      responses:
        default:
          description: Any response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'

components:
  schemas:
    Error:
      type: object
      properties:
        code:
          type: string
        details:
          type: array
          items:
            $ref: '#/components/schemas/Error'
`

	document, err := libopenapi.NewDocument([]byte(spec))
	if err != nil {
		panic(fmt.Sprintf("failed to create new document: %v\n", err))
	}

	_, errs := document.BuildV3Model()
	if len(errs) > 0 {
		for i := range errs {
			fmt.Printf("model error: %e\n", errs[i])
		}
		panic(fmt.Sprintf("failed to create v3 model from document: %d errors reported", len(errs)))
	}

	fmt.Println("Successfully parsed OpenAPI spec")

	oapiValidator, errs := validator.NewValidator(document)
	if errs != nil {
		panic(fmt.Sprintf("failed to create validator: %v", errs))
	}
	if ok, errs := oapiValidator.ValidateDocument(); !ok {
		panic(fmt.Sprintf("document validation errors: %v", errs))
	}

	req := &http.Request{
		Method: http.MethodDelete,
		URL: &url.URL{
			Path: "/operations",
		},
	}
	res := &http.Response{
		StatusCode: http.StatusOK,
		Header: map[string][]string{
			"Content-Type": {"application/json"},
		},
		Body: io.NopCloser(strings.NewReader(`{"code":"abc","details":[{"code":"def"}]}`)),
	}
	if ok, errs := oapiValidator.ValidateHttpResponse(req, res); !ok {
		panic(fmt.Sprintf("response validation erros: %v", errs))
	}
}

This results in:

Successfully parsed OpenAPI spec
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x8937f1]

goroutine 1 [running]:
github.com/santhosh-tekuri/jsonschema/v6.unevalFrom({0x90be20, 0xc0004dd500}, 0x0, 0x0)
        /home/vanntile/.go/pkg/mod/github.com/santhosh-tekuri/jsonschema/[email protected]/validator.go:922 +0x131
github.com/santhosh-tekuri/jsonschema/v6.(*Schema).validate(0x0, {0x90be20, 0xc0004dd500}, 0x0, 0x0, 0x0, 0x0, 0x0)
        /home/vanntile/.go/pkg/mod/github.com/santhosh-tekuri/jsonschema/[email protected]/validator.go:25 +0xa9
github.com/santhosh-tekuri/jsonschema/v6.(*Schema).Validate(...)
        /home/vanntile/.go/pkg/mod/github.com/santhosh-tekuri/jsonschema/[email protected]/validator.go:16
github.com/pb33f/libopenapi-validator/responses.ValidateResponseSchema(0xc0004312c0, 0xc0004d8240, 0xc00038e288, {0xc000394300, 0x97, 0x100}, {0xc0005665a0, 0x82, 0xc000123c20?})
        /home/vanntile/.go/pkg/mod/github.com/pb33f/[email protected]/responses/validate_response.go:135 +0xebd
github.com/pb33f/libopenapi-validator/responses.(*responseBodyValidator).checkResponseSchema(0xc0004086c0, 0xc0004312c0, 0xc0004d8240, {0xa1cfed?, 0x1?}, 0xc00040b680)
        /home/vanntile/.go/pkg/mod/github.com/pb33f/[email protected]/responses/validate_body.go:160 +0x2a7
github.com/pb33f/libopenapi-validator/responses.(*responseBodyValidator).ValidateResponseBodyWithPathItem(0xc0004086c0, 0xc0004312c0, 0xc0004d8240, 0x90?, {0xc0002d7b45, 0xb})
        /home/vanntile/.go/pkg/mod/github.com/pb33f/[email protected]/responses/validate_body.go:92 +0x6ab
github.com/pb33f/libopenapi-validator.(*validator).ValidateHttpResponse(0xc000402910, 0xc0004312c0, 0xc0004d8240)
        /home/vanntile/.go/pkg/mod/github.com/pb33f/[email protected]/validator.go:124 +0x59
main.main()
        /home/vanntile/src/github.com/vanntile/libopenapi-validator-test/main.go:80 +0x34f
exit status 2

Considering that this library does not consider (non-required) circular references errors, and both building a model and validating it pass, I am wondering if this is just a bug or I am missing something.

Tracking down the error, I got to

_ = compiler.AddResource(fName, decodedSchema)
jsch, _ := compiler.Compile(fName)

compilation error: json-pointer in "file:///home/vanntile/src/github.com/vanntile/libopenapi-validator-test/response.json#/components/schemas/Error" not found

Some error validation would be useful, don't know at the moment how to solve

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions