WordPress.org

Make WordPress Core


Ignore:
Timestamp:
10/24/2017 09:04:50 PM (2 years ago)
Author:
joehoyle
Message:

REST API: Don’t remove unregistered properties from objects in schema.

In r41727 the ability to sanitise and validate objects from JSON schema was added, with a whitelist approach. It was decided we should pass through all non-registered properties to reflect the behaviour of the root object in register_rest_route. To prevent arbitrary extra data via setting objects, we force additionalProperties to false in the settings endpoint.

See #38583.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/rest-api/rest-schema-validation.php

    r41727 r42000  
    187187            'properties' => array(
    188188                'a' => array(
    189                     'type' => 'number'
     189                    'type' => 'number',
    190190                ),
    191191            ),
    192192        );
    193193        $this->assertTrue( rest_validate_value_from_schema( array( 'a' => 1 ), $schema ) );
     194        $this->assertTrue( rest_validate_value_from_schema( array( 'a' => 1, 'b' => 2 ), $schema ) );
    194195        $this->assertWPError( rest_validate_value_from_schema( array( 'a' => 'invalid' ), $schema ) );
     196    }
     197
     198    public function test_type_object_additional_properties_false() {
     199        $schema = array(
     200            'type'       => 'object',
     201            'properties' => array(
     202                'a' => array(
     203                    'type' => 'number',
     204                ),
     205            ),
     206            'additionalProperties' => false,
     207        );
     208        $this->assertTrue( rest_validate_value_from_schema( array( 'a' => 1 ), $schema ) );
     209        $this->assertWPError( rest_validate_value_from_schema( array( 'a' => 1, 'b' => 2 ), $schema ) );
    195210    }
    196211
Note: See TracChangeset for help on using the changeset viewer.