Merge "Rest: ensure there are no extraneous params in JSON bodies"

3 files changed, 15 insertions, 0 deletions

diff --git a/includes/Rest/Validator/JsonBodyValidator.php b/includes/Rest/Validator/JsonBodyValidator.php
index bcbaa4980f29..299d27522158 100644
--- a/includes/Rest/Validator/JsonBodyValidator.php
+++ b/includes/Rest/Validator/JsonBodyValidator.php
@@ -5,6 +5,8 @@ namespace MediaWiki\Rest\Validator;
 use FormatJson;
 use MediaWiki\Rest\LocalizedHttpException;
 use MediaWiki\Rest\RequestInterface;
+use Wikimedia\Message\ListParam;
+use Wikimedia\Message\ListType;
 use Wikimedia\Message\MessageValue;
 use Wikimedia\ParamValidator\ParamValidator;
 
@@ -42,6 +44,7 @@ class JsonBodyValidator implements BodyValidator {
 			throw new LocalizedHttpException( new MessageValue( 'rest-bad-json-body' ), 400 );
 		}
 
+		$uncheckedBodyKeys = array_fill_keys( array_keys( $data ), true );
 		foreach ( $this->bodyParamSettings as $name => $settings ) {
 			if ( !empty( $settings[ParamValidator::PARAM_REQUIRED] ) && !isset( $data[$name] ) ) {
 				throw new LocalizedHttpException(
@@ -53,8 +56,18 @@ class JsonBodyValidator implements BodyValidator {
 				$data[$name] = $settings[ParamValidator::PARAM_DEFAULT] ?? null;
 			}
 
+			unset( $uncheckedBodyKeys[$name] );
 			// TODO: use a ParamValidator to check field value, etc!
 		}
+		if ( $uncheckedBodyKeys ) {
+			throw new LocalizedHttpException(
+				new MessageValue(
+					'rest-extraneous-body-fields',
+					[ new ListParam( ListType::COMMA, array_keys( $uncheckedBodyKeys ) ) ]
+				),
+				400
+			);
+		}
 
 		return $data;
 	}
diff --git a/includes/Rest/i18n/en.json b/includes/Rest/i18n/en.json
index c88a600fa834..654c8ac50bb8 100644
--- a/includes/Rest/i18n/en.json
+++ b/includes/Rest/i18n/en.json
@@ -38,6 +38,7 @@
 	"rest-bad-json-body": "Bad request body, must be a JSON object.",
 	"rest-json-body-parse-error": "Parsing request body as JSON failed: $1",
 	"rest-missing-body-field": "Mandatory field \"$1\" missing from request body.",
+	"rest-extraneous-body-fields": "Extraneous fields found in request body: $1",
 	"rest-bad-content-model": "Bad content model: $1",
 	"rest-update-cannot-create-page": "The page \"$1\" cannot be created since it already exists. To update the existing page, provide the base revision ID in the structure under \"latest\" key in the request body.",
 	"rest-extraneous-csrf-token": "Extraneous CSRF token found. CSRF tokens must not be used when using authentication mechanisms such as OAuth that are safe against CSRF attacks.",
diff --git a/includes/Rest/i18n/qqq.json b/includes/Rest/i18n/qqq.json
index 60d797427e7a..74d4fc326227 100644
--- a/includes/Rest/i18n/qqq.json
+++ b/includes/Rest/i18n/qqq.json
@@ -42,6 +42,7 @@
 	"rest-bad-json-body": "Error message for REST API debugging, shown when request body did not contain a JSON encoded object.",
 	"rest-json-body-parse-error": "Error message for REST API debugging, shown when parsing the JSON body failed. Parameters:\n* $1: the error message from the JSON parser.",
 	"rest-missing-body-field": "Error message for REST API debugging, shown when there is a mandatory field missing from the request body. Parameters:\n* $1: The field name",
+	"rest-extraneous-body-fields": "Error message for REST API debugging, shown when there are extraneous fields in the request body. Parameters:\n* $1: A comma-separated list of unrecognized fields",
 	"rest-bad-content-model": "Error message for REST API debugging, shown when an unknown content model is specified. Parameters:\n* $1: The content model name",
 	"rest-update-cannot-create-page": "Error message for REST API debugging, shown when creation of a page was requested via a PUT with no base revision ID, but the page already exists. Parameters:\n* $1: The title of the page",
 	"rest-extraneous-csrf-token": "Error message for REST API debugging, shown when an CSRF token was provided by the client, even though the authentication mechanisms used is safe against CSRF attacks.",