Audit request fails when using yaml anchors

[quezak]

Issue

In my components/schemas I'm sometimes using a YAML &anchor and its merge operator (<<: *anchor), notably in object property definitions, to avoid repetitions when one object type extends another. If such anchors are used, requesting the security audit fails:

1.If the anchor is used in a $referenced separate file, as pasted below, the error says:
2. If I merge the files below instead of $referencing the other file, the error says:

The SwaggerUI preview rendering in the extension works fine, so does using the openapi-generator on such a spec.

If I delete the anchor, and just copy the first object's properties into the second object's properties, the extension works correctly.

Minimal example

1. test-api.yml

openapi: '3.0.3'

info:
  version: 0.0.1
  title: Test

paths:
  /foo:
    $ref: './paths-foo.yml#/paths/~1foo'

security:
  - ApiKeyAuth: []

components:
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: Api-Key

2. paths-foo.yml

openapi: '3.0.3'

info:
  version: 0.0.1
  title: test paths -- see main file test-api.yml

paths:
  /foo:
    post:
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/NewTestObj'
      responses:
        '201':
          description: A created test object
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TestObj'

components:
  schemas:
    NewTestObj:
      type: object
      properties: &NewTestObjProperties
        name:
          type: string
        size:
          type: number
      required:
        - name
    
    TestObj:
      type: object
      properties:
        <<: *NewTestObjProperties
        id:
          type: string
          format: uuid
      required:
        - id
        - name

[quezak]

SwaggerUI renders correctly even when using the anchor:

[ak1394]

Thanks for the detailed example, will take a look!

[ak1394]

This is fixed in the next release (should be published in a couple of days).

I would personally advice against using YAML anchors as it adds additional level of complexity to OpenAPI.

Using http://json-schema.org/understanding-json-schema/reference/combining.html (and taking https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.3.md#schema-object into consideration) is better, as it would not hide the source of schema definitions from the tools which validate JSON schemas and are not aware of YAML anchors.

[quezak]

@ak1394 thanks for the fix!

I would personally advice against using YAML anchors as it adds additional level of complexity to OpenAPI.

Yeah I know, so I'm using the anchors only in really obvious case where they don't impact schema readability and validation, like the one I posted.

Unfortunately if I understand correctly the JSON-schema combinators don't work in this case, because (1) they're poorly supported in generators (or not at all in my case (typescript)), (2) they work a bit different -- even the docs say that allOf can not be used to “extend” a schema to add more detail, and they have some proposals that do this for next versions.