webMethods.io API Gateway schema validation fails to prevent adding unexpected entries to REST request

, ,
1

Product: webMethods IO API Gateway
Version: 10.15.0.6.247
Tenant: envNNNNN.apigw-aw-eu.webmethods.io free trial

I am trying to understand how the Request Processing / Validate API Specification / Schema policy can protect / prevent a client from sending in the POST request body unexpected entries. That is, if a client will place an entry which is forbidden by the swagger/open API schema, the API GateWay should block the request, if the Validate API Specification / Schema policy is ON.

I created an API based on https://petstore.swagger.io/v2/swagger.json and I altered the POST Pet schema definition, to my best knowledge to prohibit additional entries to the body.

The steps:

  1. create an API using https://petstore.swagger.io/v2/swagger.json after adding “additionalProperties”: false to the schema Pet resource to prevent a client to add entries to the body when sending “Pet” requests.
  2. validate that API is created and properly works through API GW by invoking POST Pet through postman.
  3. Add Request Processing / Validate API Specification / Schema policy to the API.
  4. change in body “id”: 325, to “id”: “325”, (int → string) and observe API GW blocks request as expected.
  5. change back to “id”: 325, and add “NEW_UNEXPECTED_ENTRY” : “YES”, to the body. API GW DOES NOT BLOCK the request.

maybe the schema should be altered differently

any help would be appreciated

Thank you

Aviv

2

Hi @Aviv.Simionovici_emp In your JSON schema enforce the additionalProperties = false. And also make sure are you in the latest fix in 10.15 its addressed in fix YAI-28224

Sample as below

"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
	"field": {
		"type1": "string",
		"example": "65d66d40-0089-4999-a5ec-fde302989d1b"
	},
	"field": {
		"type2": "string",
		"example": "0251e9f4-7c79-44ef-93d6-d869c4cf02f7"
	},
	"field": {
		"type3": "string",
		"example": "lookup1",
		"enum": [
			"lookup1",
			"lookup2"
		]
	},
	"field4": {
		"type": "string",
		"example": "lookup1",
		"enum": [
			"lookup1",
			"lookup2"
		]
	}
},
"required": [
	"field1",
	"field2",
	"field3",
	"field4",
]
"additionalProperties": false

}

1 Like
3

thank you @DINESH_J
I believe I should have the YAI-28224 fix in my tenant since my tenant version is the latest: 10.15.0.6.247

I have an open ticket on this issue https://getsupport.softwareag.com/browse/SI-511095

in this ticket, I attached the json API definition which includes the “additionalProperties”: false, at the correct place + the POST PET request that is not blocked by API schema validation policy.

looking forward for a resolution on this ticket

Thanks again,

Aviv

4

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.