springspring-bootopenapiswagger-2.0springdoc-openapi-ui

The API handles a faulty request without raising an error eventhough annotated with ApiModelProperty with dataType


I am getting the following error - "The generated value is of the type integer instead of the type ‘string’" with 42crunch conformance scan with the following problem reported - "The API handles a faulty request without raising an error"

In the test scan, it is trying to pass the following request body -

{"type":1,"visitId":"xxxx","visitorId":"Ag5w\u0010l\u0014"}

So in above request, type is passed as integer but API is declared with type with "String" property.

  @ApiModelProperty(dataType = "java.lang.String", value = "Type", example = "Data")  
  @Pattern(regexp = "^.*$")
  @Size(min = 1, max = 50)
  private String type;

I have the above annotation for the input request class. So eventhough type property is declared with ApiModelProperty annotation with dataType accepting only "java.lang.String", why is it throwing error?

I also have the @Valid annotation for the controller endpoint method which is accepting the request body.

 public ResponseEnvelope recommendedProducts(   
          @Valid @RequestBody RecommendedProductRequest productRequest,
      HttpServletResponse httpServletResponse) {

Please let know how to resolve this. Thanks!


Solution

  • Conformance Scan by 42Crunch does automatic contract conformance testing. In other words, it checks if your API conforms to the constraints of its OpenAPI contract.

    In your example, the data parameter is defined to accept String type only. So to verify your API implementation, Conformance Scan sends a request using a type other than String (similar to what a hacker might do to probe your API for vulnerabilities).

    If well implemented, your API should return an appropriate error for a request that does not match the constraints.

    Based on the snippet you shared: "The API handles a faulty request without raising an error", it suggests your API did not reject an invalid request (it should).

    The recommended solution would be to ensure your API rejects invalid requests that do not match the parameter constraints.