Unknown format is a valid value for JSON schema
Closed this issue · 5 comments
JSON schema does not restrict format values, it is unfortunate that validator fails to load a schema with unknown format:
panic: jsonschema: Compile("schema.json"): json-schema "schema.json" compilation failed. Reason:
I[#] S[#] doesn't validate with "http://json-schema.org/draft-07/schema#"
I[#/format] S[#/properties/format/format] "uuid" is not valid "format"
goroutine 9 [running]:
/...../vendor/github.com/santhosh-tekuri/jsonschema/compiler.go:105 +0x13e
I think unknown format should be ignored as if there was no format value at all, but I could not find nice words in spec to support my opinion.
see section 7.2
if you just want to disable for uuid, do:
formats.register("uuid", func(string) bool {return true})you can't just disable all unknown formats. this was intentional for security reasons
you must know what formats you are using in your jsonschemas.
if you are not interested in implementing validation for them, as shown above, accept any string as valid.
BTW: in RFC's the word "SHOULD" means "RECOMMENDED"
@santhosh-tekuri I think you can and should ignore all unknown formats. There is no security issue.
https://json-schema.org/latest/json-schema-validation.html#rfc.section.3.2
The "format", "contentType", and "contentEncoding" keywords can also be implemented as assertions, although that functionality is an optional part of this specification, and the keywords convey additional non-assertion information.
I read that as schema author can add whatever makes sense in his domain to format value that may have no validation affect. Since it should not affect validation, why should schema author put an effort into enumerating all formats to setup validator?
https://json-schema.org/latest/json-schema-validation.html#rfc.section.7.1
A format attribute can generally only validate a given set of instance types. If the type of the instance to validate is not in this set, validation for this format attribute and instance SHOULD succeed.
I read this as unknown format has 0 types of instance to be applied to in validator, therefore validation SHOULD succeed.
https://json-schema.org/latest/json-schema-validation.html#rfc.section.7.2
Save for agreement between parties, schema authors SHALL NOT expect a peer implementation to support this keyword and/or custom format attributes.
This statement addresses potential security issue, author should not expect secure validation unless he explicitly sets up the validator for custom format.
If you still have any doubts, please proceed to json-schema-org/json-schema-spec#732.
@santhosh-tekuri as a side note, format may be asserted for non-string value too, e.g. you may want {"type":"integer", "format":"thousands-and-one"} with valid value of 9001. JSON schema does permit it.
ok. seems meaningful.
I have to bump major version for this incompatible change.
btw, i did not think of having format applied to non string.
currently the library does not support that. this will also break compatibility.