Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow schemas to use unevaluatedProperties: false instead of additionalProperties: false #49

Open
DavidBiesack opened this issue Aug 17, 2023 · 0 comments
Open

Allow schemas to use unevaluatedProperties: false instead of additionalProperties: false #49

DavidBiesack opened this issue Aug 17, 2023 · 0 comments
Assignees
@philsturgeon

Comments

@DavidBiesack
Copy link
Contributor

DavidBiesack commented Aug 17, 2023
edited
Loading

JSON Schema 2020-12 (used in OAS 3.1) defines a new keyword, unevaluatedProperties which is like additionalProperties but works better when using JSON Schema composition with allOf.

For this feature, extend the OWASP ruleset to check if unevaluatedProperties is used and enforce the value false for it.
and also the rule that allows a non-false value for unevaluatedProperties only if maxProperties is also set.

Context

Avoid a false negative when a schema uses unevaluatedProperties: true

Current Behavior

Unlike additionalProperties: true or additionalProperties: { .... },
any use of unevaluatedProperties: true or unevaluatedProperties: { ... } in a schema is not flagged.

Expected Behavior

issue a warning when unevaluatedProperties: true or unevaluatedProperties: { ... } is used in a schema

Possible Solution(s)

Clone the owasp:api6:2019-no-additionalProperties and owasp:api6:2019-constrained-additionalProperties in ruleset.ts and modify to address unevaluatedProperties instead. New rules:
owasp:api6:2019-no-unevaluatedProperties owasp:api6:2019-constrained-unevaluatedProperties
DavidBiesack added a commit to DavidBiesack/spectral-owasp-ruleset that referenced this issue Aug 17, 2023
@DavidBiesack
Fixes stoplightio#49 by adding rules for JSON Schema unevaluatedPrope…
fc53df0 
…rties keyword
@DavidBiesack DavidBiesack mentioned this issue Aug 17, 2023
Closed
9 tasks
@philsturgeon philsturgeon mentioned this issue Jan 21, 2024
Merged
@philsturgeon philsturgeon self-assigned this Jan 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@philsturgeon philsturgeon

Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@philsturgeon @DavidBiesack