René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"[Feature]: strict validation of additionalProperties","articleBody":"### Suggested Behavior\n\nI would like to request a new configurable behaviour:\nWhen additionalProperties is false or undefined on an object in the schema, I would like validation to fail (with a descriptive error message) if the object in the request/response contains any property not explicitly defined in the schema.\n\nExample schema:\n```\nopenapi: 3.1.0\ninfo:\n  title: My API\n  version: 1.0.0\nservers:\n  - url: https://api.example.com/v1\npaths:\n  /posts:\n    post:\n      summary: Create a new post\n      requestBody:\n        required: true\n        content:\n          application/json:\n            schema:\n              $ref: '#/components/schemas/Post'\n  /comments:\n    post:\n      summary: Create a new comment\n      requestBody:\n        required: true\n        content:\n          application/json:\n            schema:\n              $ref: '#/components/schemas/Comment'\n  /tags:\n    post:\n      summary: Create a new tag\n      requestBody:\n        required: true\n        content:\n          application/json:\n            schema:\n              $ref: '#/components/schemas/Tag'\ncomponents:\n  schemas:\n    Post:\n      type: object\n      required:\n        - title\n        - body\n      properties:\n        title:\n          type: string\n        body:\n          type: string\n      additionalProperties: true\n    Comment:\n      type: object\n      required:\n        - text\n      properties:\n        text:\n          type: string\n      additionalProperties: false\n    Tag:\n      type: object\n      required:\n        - name\n      properties:\n        name:\n          type: string\n```\n\nExample POST body to `https://api.example.com/v1/tags`:\n```\n{\n    \"name\": \"Tag Name\",\n    \"sneaky_property\": \"this should not be allowed\"\n}\n```\n\nExample ValidationError:\n```\n\"Validation of object {'name': 'Tag Name', 'sneaky_property': 'this should not be allowed'} failed: additional properties are not allowed ('sneaky_property' was unexpected)\"\n```\n\nI have an implementation of this where I'm overrriding `ObjectCaster._cast_proparties` (sic!) and making a check there. This worked fine so far, but injecting this into `oas30_casters_dict` and friends, and then assembling the relevant classes to build a custom `V30RequestValidator` is not trivial. Also, 0.22.0 broke my implementation and so far I couldn't figure out where.\n\nI could provide my implementation, which is not guaranteed to fit the current architecture, and tests currently only exist in proprietary code.\n\n### Why is this needed?\n\nLoose third-party schemas could be made more strict, and by extension more secure, if this validation behaviour could be configured during run time.\n\n### References\n\n_No response_\n\n### Would you like to implement a feature?\n\nNone","author":{"url":"https://github.com/number492","@type":"Person","name":"number492"},"datePublished":"2025-12-23T16:44:29.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/1080/openapi-core/issues/1080"}