Invalid regex pattern fails silently on openapi3filter ValidateResponse/ValidateRequest then panics

[efimovalex]

I have the following field

fieldWithPattern:
              type: string
              description: field with regex pattern
              pattern: ^((?!-)[A-Za-z0-9-]{1,63}(?<!-)\.)+[A-Za-z]{2,6}$

and I get the following panic when validating it against an empty string

runtime error: invalid memory address or nil pointer dereference
goroutine 148 [running]:
net/http.(*conn).serve.func1()
	/usr/local/go/src/net/http/server.go:1903 +0xbe
panic({0x34b4ca0?, 0x62f2990?})
	/usr/local/go/src/runtime/panic.go:770 +0x132
github.com/getkin/kin-openapi/openapi3.(*Schema).visitJSONString(0xc000a55c80, 0xc001283cb0, {0x0, 0x0})
	/tmp/github.com/getkin/kin-openapi@v0.128.0/openapi3/schema.go:1741 +0x733
github.com/getkin/kin-openapi/openapi3.(*Schema).visitJSON(0xc000a55c80, 0xc001283cb0, {0x3293ee0, 0xc001c4a540})
	/tmp/github.com/getkin/kin-openapi@v0.128.0/openapi3/schema.go:1200 +0x3bc
github.com/getkin/kin-openapi/openapi3.(*Schema).visitJSONObject(0xc000a55680, 0xc001283cb0, 0xc001283ef0)
	/tmp/github.com/getkin/kin-openapi@v0.128.0/openapi3/schema.go:1995 +0xd56
github.com/getkin/kin-openapi/openapi3.(*Schema).visitJSON(0xc000a55680, 0xc001283cb0, {0x345a520, 0xc001283ef0})
	/tmp/github.com/getkin/kin-openapi@v0.128.0/openapi3/schema.go:1204 +0x5e6
github.com/getkin/kin-openapi/openapi3.(*Schema).visitXOFOperations(0xc000a55380, 0xc001283cb0, {0x345a520, 0xc001283ef0})
	/tmp/github.com/getkin/kin-openapi@v0.128.0/openapi3/schema.go:1434 +0x5ec
github.com/getkin/kin-openapi/openapi3.(*Schema).visitJSON(0xc000a55380, 0xc001283cb0, {0x345a520, 0xc001283ef0})
	/tmp/github.com/getkin/kin-openapi@v0.128.0/openapi3/schema.go:1166 +0x193
github.com/getkin/kin-openapi/openapi3.(*Schema).visitXOFOperations(0xc000a54d80, 0xc001283cb0, {0x345a520, 0xc001283ef0})
	/tmp/github.com/getkin/kin-openapi@v0.128.0/openapi3/schema.go:1434 +0x5ec
github.com/getkin/kin-openapi/openapi3.(*Schema).visitJSON(0xc000a54d80, 0xc001283cb0, {0x345a520, 0xc001283ef0})
	/tmp/github.com/getkin/kin-openapi@v0.128.0/openapi3/schema.go:1166 +0x193
github.com/getkin/kin-openapi/openapi3.(*Schema).visitXOFOperations(0xc0012df680, 0xc001283cb0, {0x345a520, 0xc001283e00})
	/tmp/github.com/getkin/kin-openapi@v0.128.0/openapi3/schema.go:1354 +0xb96
github.com/getkin/kin-openapi/openapi3.(*Schema).visitJSON(0xc0012df680, 0xc001283cb0, {0x345a520, 0xc001283e00})
	/tmp/github.com/getkin/kin-openapi@v0.128.0/openapi3/schema.go:1166 +0x193
github.com/getkin/kin-openapi/openapi3.(*Schema).visitJSONObject(0xc0012df080, 0xc001283cb0, 0xc001283d70)
	/tmp/github.com/getkin/kin-openapi@v0.128.0/openapi3/schema.go:1995 +0xd56
github.com/getkin/kin-openapi/openapi3.(*Schema).visitJSON(0xc0012df080, 0xc001283cb0, {0x345a520, 0xc001283d70})
	/tmp/github.com/getkin/kin-openapi@v0.128.0/openapi3/schema.go:1204 +0x5e6
github.com/getkin/kin-openapi/openapi3.(*Schema).visitXOFOperations(0xc0015c8300, 0xc001283cb0, {0x345a520, 0xc001283d70})
	/tmp/github.com/getkin/kin-openapi@v0.128.0/openapi3/schema.go:1434 +0x5ec
github.com/getkin/kin-openapi/openapi3.(*Schema).visitJSON(0xc0015c8300, 0xc001283cb0, {0x345a520, 0xc001283d70})
	/tmp/github.com/getkin/kin-openapi@v0.128.0/openapi3/schema.go:1166 +0x193
github.com/getkin/kin-openapi/openapi3.(*Schema).visitXOFOperations(0xc000e31500, 0xc001283cb0, {0x345a520, 0xc001283bc0})
	/tmp/github.com/getkin/kin-openapi@v0.128.0/openapi3/schema.go:1354 +0xb96
github.com/getkin/kin-openapi/openapi3.(*Schema).visitJSON(0xc000e31500, 0xc001283cb0, {0x345a520, 0xc001283bc0})
	/tmp/github.com/getkin/kin-openapi@v0.128.0/openapi3/schema.go:1166 +0x193
github.com/getkin/kin-openapi/openapi3.(*Schema).VisitJSON(0xc000e31500, {0x345a520, 0xc001283bc0}, {0xc001d99428, 0x4, 0xc000ef7f50?})
	/tmp/github.com/getkin/kin-openapi@v0.128.0/openapi3/schema.go:1133 +0x7e
github.com/getkin/kin-openapi/openapi3filter.ValidateRequestBody({0x406e878?, 0xc001283770?}, 0xc001283b30, 0xc000ef71a0)
	/tmp/github.com/getkin/kin-openapi@v0.128.0/openapi3filter/validate_request.go:324 +0x965
github.com/getkin/kin-openapi/openapi3filter.ValidateRequest({0x406e878, 0xc001283770}, 0xc001283b30)
	/tmp/github.com/getkin/kin-openapi@v0.128.0/openapi3filter/validate_request.go:93 +0x5fb

Following this I have defined my own RegexCompiler to try and log the errors and got the following error: error parsing regexp: invalid or unsupported Perl syntax: '(?!'

The main issue is here https://github.com/getkin/kin-openapi/blob/v0.128.0/openapi3/schema.go#L1736-L1741 as we do not return an error in the case of multiple error option being true, and then we just try to validate with a nil value for the RegexMatcher.

Another issue identified was that the ValidateResponse does not take the custom regexCompiler setting: https://github.com/getkin/kin-openapi/blob/v0.128.0/openapi3filter/validate_response.go#L66-L77, so I cannot implement a workaround for this.

[RulerOfTheQueendom]

Hi there,

Just wanted to pop in and say that this panic is likely due to handling of Lookaheads - namely, golang's native regexp library does not support them. See: https://stackoverflow.com/questions/26771592/negative-look-ahead-in-go-regular-expressions

This type of error should probably be handled/reported more elegantly by this project, but strictly speaking the error itself originates from the fact that your regex is simply not valid in golang. In short: this is a problem on your end, and all we should do on this project's side is surface it more clearly.

[jacobbednarz]

👋 ran into this one and I'm not sure it's something on the end user side given OAS itself relies on EMCA 262. Despite kin-openapi being written in Go and subsequently uses re2 from the stdlib, it doesn't meet the requirements of the underlying specification of OAS 3.0.