From 8b9823f53621a63d0a47626920f6930f35db160c Mon Sep 17 00:00:00 2001
From: Timothy Jacobs <timothyblynjacobs@git.wordpress.org>
Date: Sat, 16 May 2020 18:41:41 +0000
Subject: [PATCH] REST API: Check required properties are provided when
 validating an object.

Previously, the WP_REST_Request object validated that top-level properties were defined, but this did not extend to those object's required properties. This adds validation to rest_validate_value_from_schema() directly.

Both the v3 and v4 JSON Schema syntax for required properties is supported.

Props sorenbronsted.
Fixes #48818.


git-svn-id: https://develop.svn.wordpress.org/trunk@47809 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/rest-api.php                  |  16 +
 .../tests/rest-api/rest-schema-validation.php | 320 +++++++++++++++++-
 2 files changed, 335 insertions(+), 1 deletion(-)

diff --git a/src/wp-includes/rest-api.php b/src/wp-includes/rest-api.php
index 58cbcacbfb..6c2e7b693b 100644
--- a/src/wp-includes/rest-api.php
+++ b/src/wp-includes/rest-api.php
@@ -1284,6 +1284,22 @@ function rest_validate_value_from_schema( $value, $args, $param = '' ) {
 			return new WP_Error( 'rest_invalid_param', sprintf( __( '%1$s is not of type %2$s.' ), $param, 'object' ) );
 		}
 
+		if ( isset( $args['required'] ) && is_array( $args['required'] ) ) { // schema version 4
+			foreach ( $args['required'] as $name ) {
+				if ( ! array_key_exists( $name, $value ) ) {
+					/* translators: 1: Property of an object, 2: Parameter. */
+					return new WP_Error( 'rest_property_required', sprintf( __( '%1$s is a required property of %2$s.' ), $name, $param ) );
+				}
+			}
+		} elseif ( isset( $args['properties'] ) ) { // schema version 3
+			foreach ( $args['properties'] as $name => $property ) {
+				if ( isset( $property['required'] ) && true === $property['required'] && ! array_key_exists( $name, $value ) ) {
+					/* translators: 1: Property of an object, 2: Parameter. */
+					return new WP_Error( 'rest_property_required', sprintf( __( '%1$s is a required property of %2$s.' ), $name, $param ) );
+				}
+			}
+		}
+
 		foreach ( $value as $property => $v ) {
 			if ( isset( $args['properties'][ $property ] ) ) {
 				$is_valid = rest_validate_value_from_schema( $v, $args['properties'][ $property ], $param . '[' . $property . ']' );
diff --git a/tests/phpunit/tests/rest-api/rest-schema-validation.php b/tests/phpunit/tests/rest-api/rest-schema-validation.php
index c50c1603e4..a46b1f0de0 100644
--- a/tests/phpunit/tests/rest-api/rest-schema-validation.php
+++ b/tests/phpunit/tests/rest-api/rest-schema-validation.php
@@ -2,7 +2,7 @@
 /**
  * Unit tests covering schema validation and sanitization functionality.
  *
- * @package WordPress
+ * @package    WordPress
  * @subpackage REST API
  */
 
@@ -409,4 +409,322 @@ class WP_Test_REST_Schema_Validation extends WP_UnitTestCase {
 		// three supplementary Unicode code point is to long
 		$this->assertWPError( rest_validate_value_from_schema( $mb_char . $mb_char . $mb_char, $schema ) );
 	}
+
+	/**
+	 * @ticket       48818
+	 * @dataProvider data_required_property
+	 */
+	public function test_property_is_required( $data, $expected ) {
+		$schema = array(
+			'type'       => 'object',
+			'properties' => array(
+				'my_prop'          => array(
+					'type' => 'string',
+				),
+				'my_required_prop' => array(
+					'type'     => 'string',
+					'required' => true,
+				),
+			),
+		);
+
+		$valid = rest_validate_value_from_schema( $data, $schema );
+
+		if ( $expected ) {
+			$this->assertTrue( $valid );
+		} else {
+			$this->assertWPError( $valid );
+		}
+	}
+
+	/**
+	 * @ticket       48818
+	 * @dataProvider data_required_property
+	 */
+	public function test_property_is_required_v4( $data, $expected ) {
+		$schema = array(
+			'type'       => 'object',
+			'properties' => array(
+				'my_prop'          => array(
+					'type' => 'string',
+				),
+				'my_required_prop' => array(
+					'type' => 'string',
+				),
+			),
+			'required'   => array( 'my_required_prop' ),
+		);
+
+		$valid = rest_validate_value_from_schema( $data, $schema );
+
+		if ( $expected ) {
+			$this->assertTrue( $valid );
+		} else {
+			$this->assertWPError( $valid );
+		}
+	}
+
+	public function data_required_property() {
+		return array(
+			array(
+				array(
+					'my_required_prop' => 'test',
+					'my_prop'          => 'test',
+				),
+				true,
+			),
+			array( array( 'my_prop' => 'test' ), false ),
+			array( array(), false ),
+		);
+	}
+
+	/**
+	 * @ticket       48818
+	 * @dataProvider data_required_nested_property
+	 */
+	public function test_nested_property_is_required( $data, $expected ) {
+		$schema = array(
+			'type'       => 'object',
+			'properties' => array(
+				'my_object' => array(
+					'type'       => 'object',
+					'properties' => array(
+						'my_nested_prop'          => array(
+							'type' => 'string',
+						),
+						'my_required_nested_prop' => array(
+							'type'     => 'string',
+							'required' => true,
+						),
+					),
+				),
+			),
+		);
+
+		$valid = rest_validate_value_from_schema( $data, $schema );
+
+		if ( $expected ) {
+			$this->assertTrue( $valid );
+		} else {
+			$this->assertWPError( $valid );
+		}
+	}
+
+	/**
+	 * @ticket       48818
+	 * @dataProvider data_required_nested_property
+	 */
+	public function test_nested_property_is_required_v4( $data, $expected ) {
+		$schema = array(
+			'type'       => 'object',
+			'properties' => array(
+				'my_object' => array(
+					'type'       => 'object',
+					'properties' => array(
+						'my_nested_prop'          => array(
+							'type' => 'string',
+						),
+						'my_required_nested_prop' => array(
+							'type' => 'string',
+						),
+					),
+					'required'   => array( 'my_required_nested_prop' ),
+				),
+			),
+		);
+
+		$valid = rest_validate_value_from_schema( $data, $schema );
+
+		if ( $expected ) {
+			$this->assertTrue( $valid );
+		} else {
+			$this->assertWPError( $valid );
+		}
+	}
+
+	public function data_required_nested_property() {
+		return array(
+			array(
+				array(
+					'my_object' => array(
+						'my_required_nested_prop' => 'test',
+						'my_nested_prop'          => 'test',
+					),
+				),
+				true,
+			),
+			array(
+				array(
+					'my_object' => array(
+						'my_nested_prop' => 'test',
+					),
+				),
+				false,
+			),
+			array(
+				array(),
+				true,
+			),
+		);
+	}
+
+	/**
+	 * @ticket       48818
+	 * @dataProvider data_required_deeply_nested_property
+	 */
+	public function test_deeply_nested_v3_required_property( $value, $expected ) {
+		$schema = array(
+			'type'       => 'object',
+			'properties' => array(
+				'propA' => array(
+					'type'       => 'object',
+					'required'   => true,
+					'properties' => array(
+						'propB' => array(
+							'type'       => 'object',
+							'required'   => true,
+							'properties' => array(
+								'propC' => array(
+									'type'     => 'string',
+									'required' => true,
+								),
+								'propD' => array(
+									'type' => 'string',
+								),
+							),
+						),
+					),
+				),
+			),
+		);
+
+		$valid = rest_validate_value_from_schema( $value, $schema );
+
+		if ( $expected ) {
+			$this->assertTrue( $valid );
+		} else {
+			$this->assertWPError( $valid );
+		}
+	}
+
+	/**
+	 * @ticket       48818
+	 * @dataProvider data_required_deeply_nested_property
+	 */
+	public function test_deeply_nested_v4_required_property( $value, $expected ) {
+		$schema = array(
+			'type'       => 'object',
+			'required'   => array( 'propA' ),
+			'properties' => array(
+				'propA' => array(
+					'type'       => 'object',
+					'required'   => array( 'propB' ),
+					'properties' => array(
+						'propB' => array(
+							'type'       => 'object',
+							'required'   => array( 'propC' ),
+							'properties' => array(
+								'propC' => array(
+									'type' => 'string',
+								),
+								'propD' => array(
+									'type' => 'string',
+								),
+							),
+						),
+					),
+				),
+			),
+		);
+
+		$valid = rest_validate_value_from_schema( $value, $schema );
+
+		if ( $expected ) {
+			$this->assertTrue( $valid );
+		} else {
+			$this->assertWPError( $valid );
+		}
+	}
+
+	/**
+	 * @ticket       48818
+	 * @dataProvider data_required_deeply_nested_property
+	 */
+	public function test_deeply_nested_mixed_version_required_property( $value, $expected ) {
+		$schema = array(
+			'type'       => 'object',
+			'required'   => array( 'propA' ),
+			'properties' => array(
+				'propA' => array(
+					'type'       => 'object',
+					'required'   => array( 'propB' ),
+					'properties' => array(
+						'propB' => array(
+							'type'       => 'object',
+							'properties' => array(
+								'propC' => array(
+									'type'     => 'string',
+									'required' => true,
+								),
+								'propD' => array(
+									'type' => 'string',
+								),
+							),
+						),
+					),
+				),
+			),
+		);
+
+		$valid = rest_validate_value_from_schema( $value, $schema );
+
+		if ( $expected ) {
+			$this->assertTrue( $valid );
+		} else {
+			$this->assertWPError( $valid );
+		}
+	}
+
+	public function data_required_deeply_nested_property() {
+		return array(
+			array(
+				array(),
+				false,
+			),
+			array(
+				array(
+					'propA' => array(),
+				),
+				false,
+			),
+			array(
+				array(
+					'propA' => array(
+						'propB' => array(),
+					),
+				),
+				false,
+			),
+			array(
+				array(
+					'propA' => array(
+						'propB' => array(
+							'propD' => 'd',
+						),
+					),
+				),
+				false,
+			),
+			array(
+				array(
+					'propA' => array(
+						'propB' => array(
+							'propC' => 'c',
+						),
+					),
+				),
+				true,
+			),
+		);
+	}
 }