Connexion: Sanitization removes sensible characters in API definition and json request body input

Created on 2 Jan 2019 · 5Comments · Source: zalando/connexion

Description

I am using Connexion v2.2.0 to build an API that handles json schemata.

Request bodies containing schemata with a field name containing characters other than [0-9a-zA-Z_] are removed while parsing the request and passed to the handlers sanitized.
This leads to unexpected behavior.

The sanitization done in method parameter_to_arg (in file connexion/decorators/parameter.py) removes sensible characters such as $ that are used in both API definition and json body input such as in fields "$id" and "$schema". Those field names are common in json schematas following version 06, for example.

Expected behaviour

For example, a valid json {"$id": "...", ...} is used in the call and it should be passed to the handlers as is.

Actual behaviour

Following the above example, a valid json {"$id": "...", ...} used in the call is passed to the handlers as {"id": "...", ...}.

Steps to reproduce

Assume the following API definition (api.yaml):

openapi: "3.0.0"
info:
  title: "Some API"
  version: "0.0.1"
servers:
- url: /
paths:
  /test:
    post:
      operationId: app.test
      requestBody:
        required: true
        content:
          application/json:
            schema:
              x-body-name: body
              type: object
              properties:
                "$id":
                  type: string
      responses:
        200:
          description: Response.

that uses test(body), in app.py, as its handler, which is defined as

import connexion

def test(body):
    import json
    print(json.dumps(body, indent=2))
    return json.dumps(body, indent=2), 200

app = connexion.FlaskApp(
    __name__,
    specification_dir="./")
app.add_api("api.yaml", validate_responses=True)
app.run(port=8080)

Calling the above endpoint with curl -X POST -H "Content-Type: application/json" localhost:5001/test -d '{"$id": "myid"}', the output of the handler test is

{
  "id": "myid"
}

instead of the expected

{
  "$id": "myid"
}

Additional info:

python --version:
Python 3.6.7 :: Anaconda, Inc.
pip show connexion | grep "^Version\:":
Version: 2.2.0

bug

Source

my-name-is-nobody

👍1

All 5 comments

Thanks for filing this issue. There are a handful of problems in the validation code that are intertwined. If you have free time - it would be really great if you can write a test case for this. I'm trying to fix the underlying flaws with #760 , and having a robust test suite will help a lot.

dtkav on 8 Jan 2019

Hi, is there any update on this issue? I am experiencing this bug myself and would like to know if there are plans to have this fixed, or what would be needed to do so?

adrpar on 15 May 2019

👍1

I believe that PR #1008 addresses this issue.

pbasista on 31 Jul 2019

🎉1

@dtkav @hjacobs It seems that this project doesn't have as much activity as before... I'd like to ask what's the chance of getting this merged and released in a short time frame? This issue is impacting us at the moment.

We can't afford waiting another 6 months for the next release, and we need to evaluate what our approach is going to be. I'm seeing other people just forking the project with changes from the open PRs, but we'd like to avoid that if there is a plan to keep making regular releases and take care of the PRs.

aexvir on 31 Jul 2019

hey @aexvir -
Unfortunately as a community member (not a zalando empolyee) I don't have write permissions to the repo.
I try to provide knowledge, do code review, and fix bugs as I have time available, but I'm unable to merge any PRs.

dtkav on 8 Nov 2019

Was this page helpful?

0 / 5 - 0 ratings