-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAS character encoding and operation "path" segment encoding #2119
Comments
This was referenced Jan 26, 2020
I'm going to roll this up under the broader issue #3256 (Formally define 3.x URL Templating behavior). I've linked to here from there, so I'm closing this issue as we only need one open issue for tracking. |
smurfix
pushed a commit
to smurfix/openapi3
that referenced
this issue
Nov 20, 2024
In 0cd4f22, a change was made to validate that path parameters are actually in the path. Unfortunately, the regex to find the path parameters was too restrictive and only looked for alphanumeric parameter names. The OpenAPI3 spec is ambiguous as to what characters are allowed in a path parameter name, as OAI/OpenAPI-Specification#2119 describes in detail. Until that question is unanswered, this commit takes a conservative approach by extending the regex to match the "unreserved" characters of RFC 3986.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There seems to be some ambiguity about character encoding in the OAS 3.0.2 specification.
The OAS specifies "YAML version 1.2 is RECOMMENDED" [...]. Therefore, the YAML character encoding is unicode code point. A YAML processor must support the UTF-16 and UTF-8 character encodings, as specified at https://yaml.org/spec/current.html#id2513364
Additionally, the OAS specifies "Keys used in YAML maps MUST be limited to a scalar string, as defined by the YAML Failsafe schema ruleset".
I don't see any other restriction about the allowed set of characters in the operation "path" segment. So IMO, the set of characters should be as specified in https://tools.ietf.org/html/rfc3986 Section 3.3:
This means the following is a valid path, per RFC 3986:
It's not very clear what the character encoding should be. One way to interpret the spec is that the path segment is written as UTF-8 characters in the OAS spec; the OAS tool converts the characters to percent encoding, and for example the client performs URL encoding of the "path" segment when it serializes the HTTP request.
With this interpretation, the OAS could have the following path, and that path would be percent-encoded by the OAS tool.
Alternatively, it could be required that the path segment must be written as URL-encoded characters in the OAS spec. At least one tool I know of makes this assumption, though it's not clear if characters encoding was even considered during the implementation. In that interpretation, the path should be written in the OAS spec as follows:
Another possibility is authors can choose whether to escape paths or not, tools are responsible for applying proper escaping. Either way, it would be good to clarify and provide one or two examples.
There is also the potential issue of JSON and YAML character escaping and OAS path templating on top of the URL encoding.
The text was updated successfully, but these errors were encountered: