Nested Struct Arrays Do Not Have Validation Performed On Requests.
Introduction
In this article, we will explore a critical issue with nested struct arrays in Go, specifically with the Fuego framework. We will delve into the problem, provide a step-by-step guide to reproduce the issue, and discuss the expected behavior. Additionally, we will cover the necessary context, including the framework and Go versions used.
Problem Statement
When sending a request with a nested struct array, the validation of the request body fails to perform correctly. This results in a successful response (200) instead of an error response (400) when the request body contains invalid data.
To Reproduce
To reproduce this issue, follow these steps:
Step 1: Create a Request Body with a Nested Struct Array
Create a request body that includes a nested struct array. For example, in the petstore example, define a Pets struct with a Treats field that is an array of Treat structs:
type Pets struct {
ID string `json:"id" validate:"required" example:"pet-123456"`
Name string `json:"name" validate:"required" example:"Napoleon"`
Age int `json:"age" example:"2" description:"Age of the pet, in years"`
IsAdopted bool `json:"is_adopted" description:"Is the pet adopted"`
References References `json:"references"`
BirthDate time.Time `json:"birth_date"`
FavTreats []Treat `json:"treats,omitempty"`
}
type Treat struct {
Name string `json:"name" validate:"required" example:"kibble" description:"the name of a treat"`
Brand string `json:"brand,omitempty" description:"The brand of the treat"`
}
Step 2: Define the OpenAPI.json File
In the OpenAPI.json file, define the required fields for the Treat struct:
{
"openapi": "3.0.0",
"info": {
"title": "Petstore API",
"description": "Petstore API",
"version": "1.0.0"
},
"paths": {
"/pets": {
"post": {
"summary": "Create a new pet",
"description": "Create a new pet",
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"parameters": [
{
"in": "body",
"name": "body",
"description": "Pet object that needs to be added to the store",
"required": true,
"schema": {
"$ref": "#/components/schemas/Pet"
}
}
],
"responses": {
"200": {
"description": "successful operation"
}
}
}
}
},
"components": {
"schemas": {
"Pet": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "ID of the pet"
},
"name": {
"type":string",
"description": "Name of the pet"
},
"age": {
"type": "integer",
"description": "Age of the pet"
},
"isAdopted": {
"type": "boolean",
"description": "Is the pet adopted"
},
"references": {
"type": "object",
"description": "References of the pet"
},
"birthDate": {
"type": "string",
"format": "date-time",
"description": "Birth date of the pet"
},
"favTreats": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Treat"
},
"description": "Favorite treats of the pet"
}
},
"required": [
"id",
"name",
"age",
"isAdopted",
"references",
"birthDate",
"favTreats"
]
},
"Treat": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Name of the treat"
},
"brand": {
"type": "string",
"description": "Brand of the treat"
}
},
"required": [
"name"
]
}
}
}
}
Step 3: Send a Request with an Invalid Body
Send a request with a body that contains an invalid Treat struct, missing the required name field:
curl --request POST \
--url http://localhost:9999/pets/generic-response \
--header 'Accept: application/json, application/xml' \
--header 'Content-Type: */*' \
--header 'X-Header: ' \
--data '{
"data": {
"age": 2,
"birth_date": "2019-08-24T14:15:22Z",
"id": "pet-123456",
"is_adopted": true,
"name": "Napoleon",
"references": {
"type": "pet-123456",
"value": "string"
},
"treats": [
{
"brand": "string"
}
]
},
"thing": "string"
}'
Expected Behavior
When sending the above request, the validation of the request body should fail, returning an error response (400) instead of a successful response (200).
Screenshots
Here is the Swagger UI showing that the Pets.Treats.Name field is required:
And here is the Curl command showing the response (it should not be responding successfully):
Framework Version
The issue occurs with the Fuego framework version v0.18.8.
Go Version
The issue with the Go version 1.24.2.
Additional Context
If you are new to Go, you may want to review the basics of struct arrays and validation in Go. Additionally, if you are using the Fuego framework, you may want to review the documentation for validation and struct arrays.
Q&A
Q: What is the issue with nested struct arrays in Go? A: The issue is that the validation of the request body fails to perform correctly when sending a request with a nested struct array.
Q: What is the expected behavior? A: The expected behavior is that the validation of the request body should fail, returning an error response (400) instead of a successful response (200) when the request body contains invalid data.
Q: How can I reproduce the issue? A: To reproduce the issue, follow these steps:
- Create a request body that includes a nested struct array.
- Define the OpenAPI.json file with the required fields for the nested struct.
- Send a request with a body that contains an invalid nested struct.
Q: What are the necessary context and versions?
A: The issue occurs with the Fuego framework version v0.18.8 and the Go version 1.24.2.
Q: What are the screenshots showing?
A: The screenshots show the Swagger UI and the Curl command, demonstrating that the Pets.Treats.Name field is required and that the request is not responding successfully.
Q: What are the additional context and resources? A: If you are new to Go, you may want to review the basics of struct arrays and validation in Go. Additionally, if you are using the Fuego framework, you may want to review the documentation for validation and struct arrays.
Q: How can I resolve this issue? A: To resolve this issue, you can try the following:
- Update the Fuego framework to the latest version.
- Review the OpenAPI.json file and ensure that the required fields are correctly defined.
- Verify that the request body is correctly formatted and contains the required data.
Q: What are the implications of this issue? A: The implications of this issue are that it can lead to security vulnerabilities and data corruption if not addressed. It is essential to resolve this issue as soon as possible to ensure the integrity and security of your application.
Q: Can this issue be fixed in the Fuego framework? A: Yes, this issue can be fixed in the Fuego framework by updating the validation logic to correctly handle nested struct arrays.
Q: What is the estimated time to resolve this issue? A: The estimated time to resolve this issue is dependent on the complexity of the fix and the availability of resources. However, it is essential to prioritize this issue and resolve it as soon as possible to ensure the security and integrity of your application.
Q: Who can help me resolve this issue? A: If you are experiencing difficulties resolving this issue, you can reach out to the Fuego framework community or seek assistance from a qualified developer or consultant.