If a "pattern" contains an invalid RE2 regexp (e.g. contains a lookahead), the validation always passes. The regexp compilation error is ignored.
Pattern example: "^(?!bad).+$".
Input: "badcat".
Result: Validation OK.
I used LLM to prepare a test that confirms the bug:
func TestNewValidator_QueryParamLookaheadPatternRejected(t *testing.T) {
spec := `openapi: 3.1.0
info:
title: Lookahead Repro
version: 1.0.0
paths:
/items:
get:
parameters:
- name: code
in: query
required: true
schema:
type: string
pattern: '^(?!bad).+$'
responses:
"200":
description: ok
`
doc, err := libopenapi.NewDocument([]byte(spec))
require.NoError(t, err)
v3Model, errs := doc.BuildV3Model()
require.Empty(t, errs)
v := NewParameterValidator(&v3Model.Model)
// "badcat" violates ^(?!bad).+$ and must be rejected.
req, err := http.NewRequest(http.MethodGet, "https://things.com/items?code=badcat", nil)
require.NoError(t, err)
valid, validationErrors := v.ValidateQueryParams(req)
assert.False(
t,
valid,
"a value that violates a (non-compilable) lookahead pattern must be rejected, not pass validation",
)
assert.NotEmpty(t, validationErrors)
}LLM's fix suggestion
The cleanest fix is to make the scalar path fail closed, exactly like the object path already does. The library has both behaviors in the same file — the scalar path is simply the inconsistent one.
Primary fix: surface the compile error
In parameters/validate_parameter.go, ValidateSingleParameterSchema currently swallows it (lines 64-66):
compiled, err := schema_validation.CompileSchemaForValidation(...)
if err != nil {
return validationErrors // empty slice → reported VALID
}
Make it mirror ValidateParameterSchema (lines 166-179 in the same file), which already turns a compile failure into a real error
If a "pattern" contains an invalid RE2 regexp (e.g. contains a lookahead), the validation always passes. The regexp compilation error is ignored.
Pattern example: "^(?!bad).+$".
Input: "badcat".
Result: Validation OK.
I used LLM to prepare a test that confirms the bug:
LLM's fix suggestion
The cleanest fix is to make the scalar path fail closed, exactly like the object path already does. The library has both behaviors in the same file — the scalar path is simply the inconsistent one.
Primary fix: surface the compile error
In parameters/validate_parameter.go, ValidateSingleParameterSchema currently swallows it (lines 64-66):
compiled, err := schema_validation.CompileSchemaForValidation(...)
if err != nil {
return validationErrors // empty slice → reported VALID
}
Make it mirror ValidateParameterSchema (lines 166-179 in the same file), which already turns a compile failure into a real error