openapi3filter: ensure key matches param name before decoding in `(*u…

…rlValuesDecoder) DecodeObject(..)` (#947) Co-authored-by: Mateus Franchini de Freitas <[email protected]>
getkin · May 11, 2024 · 2ab0c0e · 2ab0c0e
1 parent b9f83d9
commit 2ab0c0e
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/openapi3filter/req_resp_decoder.go b/openapi3filter/req_resp_decoder.go
@@ -650,6 +650,10 @@ func (d *urlValuesDecoder) DecodeObject(param string, sm *openapi3.Serialization
 		propsFn = func(params url.Values) (map[string]string, error) {
 			props := make(map[string]string)
 			for key, values := range params {
+				if !regexp.MustCompile(fmt.Sprintf(`^%s\[`, regexp.QuoteMeta(param))).MatchString(key) {
+					continue
+				}
+
 				matches := regexp.MustCompile(`\[(.*?)\]`).FindAllStringSubmatch(key, -1)
 				switch l := len(matches); {
 				case l == 0:

diff --git a/openapi3filter/req_resp_decoder_test.go b/openapi3filter/req_resp_decoder_test.go
@@ -998,6 +998,17 @@ func TestDecodeParameter(t *testing.T) {
 					query: "anotherparam=bar",
 					want:  map[string]interface{}(nil),
 				},
+				{
+					name: "deepObject explode nested object - extraneous deep object param ignored",
+					param: &openapi3.Parameter{
+						Name: "param", In: "query", Style: "deepObject", Explode: explode,
+						Schema: objectOf(
+							"obj", objectOf("nestedObjOne", stringSchema, "nestedObjTwo", stringSchema),
+						),
+					},
+					query: "anotherparam[obj][nestedObjOne]=one&anotherparam[obj][nestedObjTwo]=two",
+					want:  map[string]interface{}(nil),
+				},
 				{
 					name: "deepObject explode nested object - bad array item type",
 					param: &openapi3.Parameter{