Validate parameter keys. Only allow parameters that are defined in th…

…e api method definition if the validate_keys option is set to true for the config. If unknown params are passed in an UnknownParam exception will be raised.

README.rst

@@ -506,6 +506,9 @@ validate_value
 validate_presence
   Check the params presence against the documentation.
 
+validate_keys
+  Check the sent in params to ensure they are defined in the api. (false by default)
+
 process_params
   Process and extract parameter defined from the params of the request
   to the api_params variable

lib/apipie/configuration.rb

@@ -4,7 +4,7 @@ class Configuration
     attr_accessor :app_name, :app_info, :copyright, :markup, :disqus_shortname,
       :api_base_url, :doc_base_url, :required_by_default, :layout,
       :default_version, :debug, :version_in_url, :namespaced_resources,
-      :validate, :validate_value, :validate_presence, :authenticate, :doc_path,
+      :validate, :validate_value, :validate_presence, :validate_key, :authenticate, :doc_path,
       :show_all_examples, :process_params, :update_checksum, :checksum_path,
       :link_extension, :record, :languages, :translate, :locale, :default_locale
 
@@ -42,6 +42,11 @@ def validate_presence
     end
     alias_method :validate_presence?, :validate_presence
 
+    def validate_key
+      return (validate? && @validate_key)
+    end
+    alias_method :validate_key?, :validate_key
+
     def process_value?
       @process_params
     end
@@ -127,6 +132,7 @@ def initialize
       @validate = true
       @validate_value = true
       @validate_presence = true
+      @validate_key = false
       @required_by_default = false
       @api_base_url = HashWithIndifferentAccess.new
       @doc_base_url = "/apipie"

lib/apipie/dsl_definition.rb

@@ -212,6 +212,15 @@ def _apipie_define_validators(description)
               end
             end
 
+            # Only allow params passed in that are defined keys in the api
+            # Auto skip the default params (format, controller, action)
+            if Apipie.configuration.validate_key?
+              params.reject{|k,_| [:format, :controller, :action].include?(k.to_sym) }.each_key do |param|
+                # params allowed
+                raise UnknownParam.new(param) unless description.params.select {|_,p| p.name == param.to_sym}.size > 0
+              end
+            end
+
             if Apipie.configuration.process_value?
               @api_params = {}
 

lib/apipie/errors.rb

@@ -21,6 +21,12 @@ def to_s
     end
   end
 
+  class UnknownParam < DefinedParamError
+    def to_s
+      "Unknown parameter #{@param}"
+    end
+  end
+
   class ParamInvalid < DefinedParamError
     attr_accessor :value, :error
 

spec/controllers/users_controller_spec.rb

@@ -94,9 +94,25 @@ def compare_hashes(h1, h2)
         lambda { get :show, :id => 5, :session => "secret_hash" }.should_not raise_error
         lambda { get :show, :id => "ten", :session => "secret_hash" }.should_not raise_error
       end
-
     end
 
+    context "key validations are enabled" do
+       before do
+         Apipie.configuration.validate = true
+         Apipie.configuration.validate_value = false
+         Apipie.configuration.validate_presence = true
+         Apipie.configuration.validate_key = true
+       end
+
+       it "should reply to valid request" do
+         lambda { get :show, :id => 5, :session => "secret_hash" }.should_not raise_error
+         assert_response :success
+       end
+
+       it "should fail if extra parameter is passed in" do
+         lambda { get :show, :id => 5, :session => "secret_hash", :badparam => 'badfoo' }.should raise_error(Apipie::UnknownParam, /\bbadparam\b/)
+       end
+     end
 
     context "validations are enabled" do
       before do