REST: Handle invalid field type in JSON Patch

outdooracorn · outdooracorn · commit 845a1afbb20c · 2022-11-01T09:12:06.000Z
Respond with a more specific error when the JSON Patch contains a field with an invalid type. Handled in `JsonDiffPatchValidator` while we wait for the upstream PR to be merged. swaggest/json-diff#60 Bug: T320705 Change-Id: I92290f5791b14e28e5fcd87d28c8b26d160e899f
diff --git a/repo/rest-api/src/Infrastructure/JsonDiffJsonPatchValidator.php b/repo/rest-api/src/Infrastructure/JsonDiffJsonPatchValidator.php
@@ -7,6 +7,7 @@
 use Swaggest\JsonDiff\MissingFieldException;
 use Swaggest\JsonDiff\UnknownOperationException;
 use Wikibase\Repo\RestApi\Domain\Services\JsonPatchValidator;
+use Wikibase\Repo\RestApi\Validation\PatchInvalidFieldTypeValidationError;
 use Wikibase\Repo\RestApi\Validation\PatchInvalidOpValidationError;
 use Wikibase\Repo\RestApi\Validation\PatchMissingFieldValidationError;
 use Wikibase\Repo\RestApi\Validation\ValidationError;
@@ -17,6 +18,35 @@
 class JsonDiffJsonPatchValidator implements JsonPatchValidator {
 
 	public function validate( array $patch, string $source ): ?ValidationError {
+		// TODO: remove foreach checks when upstream PR merged
+		// https://github.com/swaggest/json-diff/pull/60
+		foreach ( $patch as $operation ) {
+			if ( !is_array( $operation ) ) {
+				return new ValidationError( '', $source );
+			}
+			if ( array_key_exists( 'op', $operation ) && !is_string( $operation['op'] ) ) {
+				return new PatchInvalidFieldTypeValidationError(
+					'op',
+					$source,
+					[ 'operation' => $operation ]
+				);
+			}
+			if ( array_key_exists( 'path', $operation ) && !is_string( $operation['path'] ) ) {
+				return new PatchInvalidFieldTypeValidationError(
+					'path',
+					$source,
+					[ 'operation' => $operation ]
+				);
+			}
+			if ( array_key_exists( 'from', $operation ) && !is_string( $operation['from'] ) ) {
+				return new PatchInvalidFieldTypeValidationError(
+					'from',
+					$source,
+					[ 'operation' => $operation ]
+				);
+			}
+		}
+
 		try {
 			JsonPatch::import( $patch );
 		} catch ( MissingFieldException $e ) {
diff --git a/repo/rest-api/src/Presentation/ErrorResponseToHttpStatus.php b/repo/rest-api/src/Presentation/ErrorResponseToHttpStatus.php
@@ -22,6 +22,7 @@ class ErrorResponseToHttpStatus {
 		ErrorResponse::INVALID_OPERATION_CHANGED_PROPERTY => 400,
 		ErrorResponse::INVALID_PATCH => 400,
 		ErrorResponse::INVALID_PATCH_OPERATION => 400,
+		ErrorResponse::INVALID_PATCH_FIELD_TYPE => 400,
 		ErrorResponse::MISSING_JSON_PATCH_FIELD => 400,
 		ErrorResponse::PERMISSION_DENIED => 403,
 		ErrorResponse::ITEM_NOT_FOUND => 404,
diff --git a/repo/rest-api/src/UseCases/ErrorResponse.php b/repo/rest-api/src/UseCases/ErrorResponse.php
@@ -20,6 +20,7 @@ class ErrorResponse {
 	public const PATCH_TEST_FAILED = 'patch-test-failed';
 	public const INVALID_PATCH = 'invalid-patch';
 	public const INVALID_PATCH_OPERATION = 'invalid-patch-operation';
+	public const INVALID_PATCH_FIELD_TYPE = 'invalid-patch-field-type';
 	public const MISSING_JSON_PATCH_FIELD = 'missing-json-patch-field';
 	public const ITEM_NOT_FOUND = 'item-not-found';
 	public const ITEM_REDIRECTED = 'redirected-item';
diff --git a/repo/rest-api/src/UseCases/PatchItemStatement/PatchItemStatementErrorResponse.php b/repo/rest-api/src/UseCases/PatchItemStatement/PatchItemStatementErrorResponse.php
@@ -4,6 +4,7 @@
 
 use LogicException;
 use Wikibase\Repo\RestApi\UseCases\ErrorResponse;
+use Wikibase\Repo\RestApi\Validation\PatchInvalidFieldTypeValidationError;
 use Wikibase\Repo\RestApi\Validation\PatchInvalidOpValidationError;
 use Wikibase\Repo\RestApi\Validation\PatchMissingFieldValidationError;
 use Wikibase\Repo\RestApi\Validation\ValidationError;
@@ -37,6 +38,13 @@ public static function newFromValidationError( ValidationError $validationError
 							"Incorrect JSON patch operation: '$op'",
 							$validationError->getContext()
 						);
+					case $validationError instanceof PatchInvalidFieldTypeValidationError:
+						$field = $validationError->getValue();
+						return new self(
+							ErrorResponse::INVALID_PATCH_FIELD_TYPE,
+							"The value of '$field' must be of type string",
+							$validationError->getContext()
+						);
 					case $validationError instanceof PatchMissingFieldValidationError:
 						$field = $validationError->getValue();
 						return new self(
diff --git a/repo/rest-api/src/Validation/PatchInvalidFieldTypeValidationError.php b/repo/rest-api/src/Validation/PatchInvalidFieldTypeValidationError.php
@@ -0,0 +1,10 @@
+<?php declare( strict_types=1 );
+
+namespace Wikibase\Repo\RestApi\Validation;
+
+/**
+ * @license GPL-2.0-or-later
+ */
+class PatchInvalidFieldTypeValidationError extends ValidationError {
+
+}
diff --git a/repo/rest-api/tests/mocha/api-testing/PatchItemStatementTest.js b/repo/rest-api/tests/mocha/api-testing/PatchItemStatementTest.js
@@ -244,6 +244,33 @@ describe( 'PATCH statement tests', () => {
 					assert.include( response.body.message, "'foobar'" );
 				} );
 
+				it( "invalid patch - 'op' is not a string", async () => {
+					const invalidOperation = { op: { foo: [ 'bar' ], baz: 42 }, path: '/a/b/c', value: 'test' };
+					const response = await newPatchRequestBuilder( testStatementId, [ invalidOperation ] )
+						.assertInvalidRequest().makeRequest();
+
+					assertValid400Response( response, 'invalid-patch-field-type', { operation: invalidOperation } );
+					assert.include( response.body.message, "'op'" );
+				} );
+
+				it( "invalid patch - 'path' is not a string", async () => {
+					const invalidOperation = { op: 'add', path: { foo: [ 'bar' ], baz: 42 }, value: 'test' };
+					const response = await newPatchRequestBuilder( testStatementId, [ invalidOperation ] )
+						.assertInvalidRequest().makeRequest();
+
+					assertValid400Response( response, 'invalid-patch-field-type', { operation: invalidOperation } );
+					assert.include( response.body.message, "'path'" );
+				} );
+
+				it( "invalid patch - 'from' is not a string", async () => {
+					const invalidOperation = { op: 'move', from: { foo: [ 'bar' ], baz: 42 }, path: '/a/b/c' };
+					const response = await newPatchRequestBuilder( testStatementId, [ invalidOperation ] )
+						.makeRequest();
+
+					assertValid400Response( response, 'invalid-patch-field-type', { operation: invalidOperation } );
+					assert.include( response.body.message, "'from'" );
+				} );
+
 				it( 'invalid edit tag', async () => {
 					const invalidEditTag = 'invalid tag';
 					const response = await newPatchRequestBuilder( testStatementId, [] )
diff --git a/repo/rest-api/tests/phpunit/Infrastructure/JsonDiffJsonPatchValidatorTest.php b/repo/rest-api/tests/phpunit/Infrastructure/JsonDiffJsonPatchValidatorTest.php
@@ -6,6 +6,7 @@
 use PHPUnit\Framework\TestCase;
 use Swaggest\JsonDiff\JsonDiff;
 use Wikibase\Repo\RestApi\Infrastructure\JsonDiffJsonPatchValidator;
+use Wikibase\Repo\RestApi\Validation\PatchInvalidFieldTypeValidationError;
 use Wikibase\Repo\RestApi\Validation\PatchInvalidOpValidationError;
 use Wikibase\Repo\RestApi\Validation\PatchMissingFieldValidationError;
 
@@ -87,6 +88,38 @@ public function provideInvalidJsonPatch(): Generator {
 			'invalid',
 			[ 'operation' => $invalidOperationObject ]
 		];
+
+		$invalidOperationObject = [ 'op' => true, 'path' => '/a/b/c', 'value' => 'foo' ];
+		yield 'invalid field type - "op" is a boolean not a string' => [
+			PatchInvalidFieldTypeValidationError::class,
+			[ $invalidOperationObject ],
+			'op',
+			[ 'operation' => $invalidOperationObject ]
+		];
+
+		$invalidOperationObject = [ 'op' => [ 'foo' => [ 'bar' ], 'baz' => 42 ], 'path' => '/a/b/c', 'value' => 'foo' ];
+		yield 'invalid field type - "op" is an object not a string' => [
+			PatchInvalidFieldTypeValidationError::class,
+			[ $invalidOperationObject ],
+			'op',
+			[ 'operation' => $invalidOperationObject ]
+		];
+
+		$invalidOperationObject = [ 'op' => 'add', 'path' => [ 'foo', 'bar', 'baz' ], 'value' => 'foo' ];
+		yield 'invalid field type - "path" is not a string' => [
+			PatchInvalidFieldTypeValidationError::class,
+			[ $invalidOperationObject ],
+			'path',
+			[ 'operation' => $invalidOperationObject ]
+		];
+
+		$invalidOperationObject = [ 'op' => 'move', 'from' => 42, 'path' => '/a/b/c' ];
+		yield 'invalid field type - "from" is not a string' => [
+			PatchInvalidFieldTypeValidationError::class,
+			[ $invalidOperationObject ],
+			'from',
+			[ 'operation' => $invalidOperationObject ]
+		];
 	}
 
 	public function testValidJsonPatch(): void {
diff --git a/repo/rest-api/tests/phpunit/UseCases/PatchItemStatement/PatchItemStatementErrorResponseTest.php b/repo/rest-api/tests/phpunit/UseCases/PatchItemStatement/PatchItemStatementErrorResponseTest.php
@@ -6,6 +6,7 @@
 use Wikibase\Repo\RestApi\UseCases\ErrorResponse;
 use Wikibase\Repo\RestApi\UseCases\PatchItemStatement\PatchItemStatementErrorResponse;
 use Wikibase\Repo\RestApi\UseCases\PatchItemStatement\PatchItemStatementValidator;
+use Wikibase\Repo\RestApi\Validation\PatchInvalidFieldTypeValidationError;
 use Wikibase\Repo\RestApi\Validation\PatchInvalidOpValidationError;
 use Wikibase\Repo\RestApi\Validation\PatchMissingFieldValidationError;
 use Wikibase\Repo\RestApi\Validation\ValidationError;
@@ -70,6 +71,14 @@ public function provideValidationError(): \Generator {
 			$context
 		];
 
+		$context = [ 'operation' => [ 'op' => [ 'not', [ 'a' => 'string' ] ], 'path' => '/a/b/c', 'value' => 'test' ] ];
+		yield 'from invalid patch field type' => [
+			new PatchInvalidFieldTypeValidationError( 'op', PatchItemStatementValidator::SOURCE_PATCH, $context ),
+			ErrorResponse::INVALID_PATCH_FIELD_TYPE,
+			"The value of 'op' must be of type string",
+			$context
+		];
+
 		yield 'from comment too long' => [
 			new ValidationError( '500', PatchItemStatementValidator::SOURCE_COMMENT ),
 			ErrorResponse::COMMENT_TOO_LONG,
