Body validation for JSON requests does not check field types
Open, Needs TriagePublic
Actions

Assigned To

None

Authored By

	Jakob_WMDE
	May 8 2024, 4:16 AM

Description

Defining a body field with ParamValidator::PARAM_TYPE => 'string' in a REST handler's getParamSettings() method does not actually make it reject application/json requests containing integers or booleans for this field. It doesn't get cast to a string either, so a call like $this->methodExpectingString( $request->getParsedBody()['mystringfield'] ) results in a type error in such cases.

This behavior may be necessary for other content types, but for JSON requests it seems rather unintuitive and likely to cause bugs.

Related Objects

Mentioned In: T368054: Look into ways to avoid HttpException for top-level validation
T363084: Remove usage of MediaWiki's JsonBodyValidator from Wikibase REST API

Event Timeline

Jakob_WMDE created this task.May 8 2024, 4:16 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 8 2024, 4:16 AM

Jakob_WMDE mentioned this in T363084: Remove usage of MediaWiki's JsonBodyValidator from Wikibase REST API.May 8 2024, 7:25 AM

WMDE-leszek subscribed.May 8 2024, 8:01 AM

Ollie.Shotton_WMDE subscribed.May 8 2024, 11:17 AM

Jakob_WMDE mentioned this in T368054: Look into ways to avoid HttpException for top-level validation.Thu, Jun 20, 2:13 PM

Body validation for JSON requests does not check field typesOpen, Needs TriagePublicActions

Description

Related Objects

Event Timeline

Body validation for JSON requests does not check field types
Open, Needs TriagePublic
Actions