ValidateRequestBody does not fails with duplicate keys

[gczobel-f5]

Hi,
I'm trying to validate this (invalid) json

[{
	"address": "10.0.0.1",
	"address": "10.0.0.2"
}]

with this schema

    endpoints:
      type: array
      description: Endpoints
      items:
        type: object
        properties:
          address:
            type:
              string
        required:
          - address

The ValidateRequestBody function fails to identify the request body as invalid. The problems seem to be related to the unmarshalling of the json.
I think it's related to this: golang/go#24415

When the json is decoded, the second address is removed and the "real" input is never validated.

Code to reproduce:

package main

import (
	"bytes"
	"context"
	"fmt"
	"net/http"

	"github.com/getkin/kin-openapi/openapi3"
	"github.com/getkin/kin-openapi/openapi3filter"
)

const testSchema = `openapi: 3.0.0
info:
  title: 'Validator'
  version: 0.0.1
paths:
  /test:
    post:
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/endpoints'
      responses:
        '200':
          description: Created
          
components:
  schemas:
    endpoints:
      type: array
      description: Endpoints
      items:
        type: object
        properties:
          address:
            type:
              string
        required:
          - address
`

func main() {
	var (
		err error
	)

	jsn := []byte("[{\"address\":\"10.0.0.1\", \"address\":\"10.0.0.2\"}]")

	b := bytes.NewReader(jsn)

	// var value interface{}
	// if err := json.NewDecoder(b).Decode(&value); err != nil {
	// 	panic(fmt.Sprintf("error unmarshalling : %s", err))
	// }
	// fmt.Printf("value=%v", value)

	b = bytes.NewReader(jsn)
	swagger, err := openapi3.NewSwaggerLoader().LoadSwaggerFromData([]byte(testSchema))

	router := openapi3filter.NewRouter().WithSwagger(swagger)
	req, _ := http.NewRequest(http.MethodPost, "/test", b)
	route, pathParams, _ := router.FindRoute(req.Method, req.URL)
	req.Header.Set("Content-Type", "application/json")

	reqBody := route.Operation.RequestBody.Value

	requestValidationInput := &openapi3filter.RequestValidationInput{
		Request:    req,
		PathParams: pathParams,
		Route:      route,
	}

	err = openapi3filter.ValidateRequestBody(context.TODO(), requestValidationInput, reqBody)
	if err == nil {
		fmt.Println("Valid")
	} else {
		fmt.Printf("NOT valid. %s\n", err)
	}
}

[fenollp]

Indeed it's encoding/json's fault IMO and I am missing where encoding/json.Unmarshal covers decoding multiple map keys. I'm not sure the JSON "initial spec" (at least) covers it.
There are many corners of the JSON format that are unclear (repeated keys, comments, integer precision...) so I would encourage you to open a PR that at least errors out when unmarshalling duplicate keys but realistically (some tools out there surely rely on this behavior somehow) the best option for you is to RegisterBodyDecoder to a stricter jsonBodyDecoder.
Sorry :)
(I'd like you to PR your own jsonBodyDecoder though please)

[fenollp]

Any progress? This may help: json-iterator/go#319

[fenollp]

cc-ing #372 (comment)
I'd like for this lib to switch to a yaml/json parser that can identify duplicate keys as well as unexpected keys.